(English) Cybersecurity Handbook For Civil Society Organizations - 0

Cybersecurity
Handbook
for
Civil Society Organizations
A guide for civil society organizations looking to get

started on a cybersecurity plan
Cybersecurity
Handbook
for
Civil Society Organizations
A guide for civil society organizations looking

to get started on a cybersecurity plan
This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter
to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.
Table of Contents
Visual Legend 4
The Top 10 6
Authors & Acknowledgments 7
Who are We? 7
Who is this Handbook for? 8
What is a security plan and why should my organization have one? 8
What assets does your organization have and what do you want to protect? 9
Who are your adversaries and what are their capabilities and motivations? 9
What threats does your organization face? And how likely and high-impact are they? 10
Creating your Organizational Cybersecurity Plan 11
Building a Culture of Security 12
Integrate Security into your Regular Operating Structure 13
Get Organizational Buy-In 14
Establish a Training Plan 14
A Strong Foundation: Securing Accounts and Devices 16
Secure Accounts: Passwords and Two Factor Authentication 18
Secure Devices 26
Phishing: A Common Threat to Devices and Accounts 32
Communicating and Storing Data Securely 37
Communications and Sharing Data 38
Storing Data Securely 50
Staying Safe on the Internet 53
Browsing Securely 54
Social Media Safety 64
Keep your Websites Online 66
Protect your WiFi Network 67
Protecting Physical Security 68
Protecting Physical Assets 70
What To Do When Things Go Wrong 74
Appendix A: Recommended Resources 78
Appendix B: Security Plan Starter Kit 79

Visual Legend
Throughout the Handbook, you will find a few different recurring, highlighted elements in addition
to the main text. Here is a short “legend” to help you understand the core elements:
Case Study Extra Tips Real World

Indicates case studies that highlight Highlights some extra tips and Calls out common examples of
the real-life impact of a certain information to pay attention to as cybersecurity tactics tools used in
topic on civil society organizations you read the Handbook. the “real world”, both for good and
globally or in a specific country. for bad.
Advanced Security Plan Building Blocks

Indicates an advanced topic - Indicates the “Security Plan Building
information that is important for Blocks”, which are the key take-
your organization to consider, but aways from each section of the
that might be a bit more technical or Handbook.
complicated.
4 CyberSecurity Handbook
1 2
Building a Culture A Strong Foundation: Securing

of Security Accounts and Devices
3 4
Communicating and Staying Safe on

Storing Data Securely the Internet
5 6
Protecting Physical What To Do When

Security Things Go Wrong
5
The Top 10
These ten elements are critical to your organization’s security plan. If you are looking for
somewhere to start, look here first.
1 2
Conduct regular security training Be alert to phishing and have a
within your organization reporting system
3 4
Use encryption for all Require strong passwords and
communication - end-to-end, implement a password manager
when possible across your organization
5 6
Require two factor Ensure all staff devices and
authentication wherever software are kept up to date
possible
7 8
Use secure cloud storage Use HTTPS and, if appropriate, a
VPN, for accessing the internet
9 10
Protect your organization’s Develop an organizational
physical assets incident response plan
Authors & Acknowledgments
Lead Author: Evan Summers (NDI)
Contributing Authors: Sarah Moulton (NDI); Chris Doten (NDI)
In developing this Handbook, we’d like (OrgSec) Community. This Handbook is designed to
complement those more in-depth materials, combining key
to particularly thank our expert external lessons into a one-stop, easy-to-read resource for civil society
reviewers who provided us with valuable organizations looking to get started on a cybersecurity plan.
feedback, edits, and suggestions as we pulled
In addition to taking indirect inspiration from many wonderful
together this content, including: resources compiled by the community, we have directly copied
useful language from a handful of existing resources as well
Fiona Krakenburger, Open Technology Fund; Bill Budington throughout this Handbook, particularly the Electronic Frontier
and Shirin Mori, Electronic Frontier Foundation; Jocelyn Foundation’s Surveillance Self Defense Guide, Tactical Tech’s
Woolbright, Cloudflare; Martin Shelton, Freedom of the Press Holistic Security Manual, and a range of explainers from the
Foundation; Dave Leichtman, Microsoft; Stephen Boyce, Center for Democracy and Technology and the Freedom of
International Foundation for Electoral Systems; Amy Studdart, the Press Foundation. You can find specific citations to these
International Republican Institute; Emma Hollingsworth, resources throughout the sections below, and complete links,
Global Cyber Alliance; Caroline Sinders, Convocation Design + author, and license information within Appendix A.
Research; Dhyta Caturani; Sandra Pepera, NDI; Aaron Azelton,
NDI; and Whitney Pfeifer, NDI. We also strongly recommend that anyone reading this
Handbook make use of the extensive library of digital security
We also want to acknowledge all the incredible manuals, guides and resources compiled and updated by the Open
guides, workbooks, training modules and other materials Technology Fund.
developed and maintained by the Organizational Security
Who are We?

The National Democratic Institute for Within NDI, the Democracy and Technology team seeks
to foster a global digital ecosystem in which democratic
International Affairs (NDI) is a nonprofit, values are protected, promoted, and can thrive; governments
nonpartisan organization, based in Washington are more transparent and inclusive; and all citizens are
D.C., that works in partnership around the empowered to hold their government accountable. We do this
work by supporting a global network of activists committed
world to strengthen and safeguard democratic to digital resilience, and through collaboration with partners
institutions, processes, norms and values to on tools and resources like this Handbook. You can learn more
secure a better quality of life for all. about our work on our website, by following us on Twitter, or
by reaching out directly to cyberhandbook@ndi.org. We are
always happy to hear from you and answer questions about
NDI believes all people have the right to live in a world that
our team and our work on cybersecurity, technology, and
respects their dignity, security, and political rights—and that
democracy.
the digital world is no exception.
7
Who is this Handbook for?
This Handbook was written with a simple goal there are likely hundreds of other smaller attacks each year
that go undetected or unreported, many aimed at civil society
in mind: to help your civil society organization organizations working to support democracy, accountability,
develop an understandable and implementable and human rights. Organizations representing women or other
cybersecurity plan. marginalized groups are often particularly targeted.
Cyberattacks like these have significant consequences.

As the world increasingly moves online, cybersecurity is not Whether their aim is to take your money, repress your
just a buzzword but a critical concept for the success of an voice, disrupt your organizational operations, damage
organization and safety of a team. Particularly for civil society your reputation, or even steal information that can lead to
organizations in the democracy, advocacy, accountability, and psychological or physical harm to your partners or staff,
human rights spaces, the security of information (both online such threats need to be taken seriously. The good thing is
and off) is a challenge that requires focus, investment and that you do not need to become a coder or a technologist
vigilance. to defend yourself and your organization against common
threats. However, you do need to be prepared to invest effort,
Your organization will likely find itself – if it has not already energy, and time in developing and implementing a strong
– the target of a cybersecurity attack. This is not intended to organizational security plan. If you have never thought about
be alarmist; it is reality even for organizations that do not cybersecurity in your organization, have not had time to focus
consider themselves to be particular targets. on it, or know some basics about the topic but think your
organization could enhance its cybersecurity, this Handbook
In an average year, the Center for Strategic and International is for you. Regardless of where you are coming from, this
Studies, which maintains a running list of what they term Handbook aims to give your organization the essential
“Significant Cyber Incidents,” catalogs hundreds of serious information it needs to put a strong security plan in place.
cyber attacks, many of which target dozens if not hundreds A plan that goes beyond simply putting words on paper and
of organizations at once. In addition to such reported attacks, enables you to put best practices into action.
What is a security plan and why

should my organization have one?
A security plan is the set of written policies, threats, focusing too much on one risk or ignoring cybersecurity
until there is a crisis. When you start developing a security plan
procedures, and instructions your organization there are some important questions to ask yourself that form
has agreed upon to achieve the level of security a process called a risk assessment. Answering these questions
you and your team think is appropriate to keep helps your organization understand the unique threats that you
face and allows you to step back and think comprehensively
your people, partners, and information safe. about what you need to protect and from whom you need to
protect it. Trained assessors, aided with systems like Internews’
A well-crafted and updated organizational security plan can SAFETAG auditing framework, can help lead your organization
both keep you safe and make you more effective by providing through such a process. If you can get access to that level
the peace of mind needed to focus on your organization’s of professional expertise it is well worth it, but even if you
important day-to-day work. Without thinking through a cannot undergo a full assessment, you should meet with your
comprehensive plan, it is very easy to be blind to some types of organization to thoughtfully consider these key questions:
1 What assets does your organization
have and what do you want to protect?
You can start answering these questions by creating a catalog them (perhaps multiple digital or physical places), and what
of all your organization’s assets. Information such as messages, prevents others from accessing, damaging, or disrupting them.
emails, contacts, documents, calendars, and locations are all Keep in mind that not everything is equally important. If
possible assets. Phones, computers and other devices can be some of the organization’s data is a matter of public record, or
assets. And people, connections, and relationships might be information you already publish, they are not secrets that you
assets too. Make a list of your assets and try to catalog them need to protect.
by their importance to the organization, where you keep
2 Who are your adversaries and what are

their capabilities and motivations?
“Adversary” is a term commonly used in organizational security. For example, governments often have lots of money and
In simple terms, adversaries are the actors (individuals or powerful capabilities including shutting down the internet
groups) that are interested in targeting your organization, or using expensive surveillance technology; mobile networks
disrupting your work, and gaining access to or destroying your and internet providers likely have access to call records and
information: the bad guys. Examples of potential adversaries browsing histories; skilled hackers on public Wi-Fi networks
could include financial scammers, competitors, local or national have the capability to intercept poorly secured communications
authorities or governments, or ideologically or politically or financial transactions. You can even become your own
motivated hackers. It is important to make a list of your adversary, for example, by accidentally deleting important files
adversaries and think critically about who might want to or sending private messages to the wrong person.
negatively impact your organization and staff. While it is easy
to envision external actors (like a foreign government or a The motives of adversaries are likely to differ along with
particular political group) as adversaries, also keep in mind that their capacity, interests, and strategies. Are they interested in
adversaries can be people that you know, such as disgruntled discrediting your organization? Perhaps they are intent on
employees, former staff, and unsupportive family members or silencing your message? Or maybe they see your organization
partners. Different adversaries pose different threats and have as competition and want to gain an edge? It is important to
different resources and capabilities to disrupt your operations understand an adversary’s motivation because doing so can
and gain access to or destroy your information. help your organization better assess the threats it might pose.
9
3 What threats does your organization
face? And how likely and high-impact
are they?
As you identify possible threats, you are

likely to end up with a long list which can be
overwhelming. You may feel any efforts would
be pointless, or not know where to begin.
To help empower your organization to take
productive next steps, it is helpful to analyze To help you manage this risk assessment
each threat based upon two factors: the process, consider using a worksheet, like this one
developed by the Electronic Frontier Foundation.
likelihood that the threat will take place; and Keep in mind that the information you develop
the impact if it does. as part of this process (such as a list of your
adversaries and the threats they pose) might itself
To measure the likelihood of a threat (perhaps “low, medium be sensitive, so it is important to keep it secure.
or high” based on if a given event is unlikely to take place,
could happen, or frequently happens), you can use information
you know about your adversaries’ capacity and motivation,
analysis of past security incidents, other similar organizations’
experiences, and of course the presence of any existing
mitigation strategies your organization has put in place.
To measure the impact of a threat, think about what your world

would look like if the threat actually did occur. Ask questions
like “How has the threat harmed us as an organization and
as people, physically and mentally?”, “How long-lasting is the
effect?”, “Does this create other harmful situations?”, and “How
does it hamper our ability to achieve our organizational goals
now and in the future?” As you answer these questions, consider
if the threat is low, medium, or high impact.
Once you have categorized your threats by likelihood and

impact, you can begin to make a more informed plan of action.
By focusing on those threats that are most likely to happen
AND that will have significant negative impacts, you will be
channeling your limited resources in the most efficient and
effective way possible.
Your goal is always to mitigate as much risk as possible, but no

one – not the most well-resourced government or company on
earth – can ever fully eliminate risk. And that is OK: you can do
a lot to protect yourself, your colleagues, and your organization
by taking care of the biggest threats.
Creating your Organizational
Cybersecurity Plan
While every organization’s security plan will
look a little bit different based upon its risk Security Plan Starter Kit
assessment and organizational dynamics,
certain core concepts are nearly universal.
This Handbook addresses these essential concepts in a way that To help your organization process
will help your organization build a concrete security plan based
the Handbook’s lessons and turn
upon practical solutions and real-world applications.
them into a real plan, make use of
This Handbook endeavors to provide options and suggestions this starter kit. You can either print
that are free or very low cost. Keep in mind that the most
out the kit or fill it in digitally while
significant cost associated with implementing an effective
security plan will be the time you and your organization need to you read the Handbook online. As
talk about, learn, and implement your new plan. Given the risks you take notes and begin to update
your organization is likely to face, though, this investment will
or craft your security plan, be sure to
be more than worth it.
reference the “Security Plan Building
In each section, you will find an explanation of a key topic that Blocks” detailed in each section. No
your organization and its staff should be aware of - what it
security plan is complete without, at
is and why it is important. Each topic is paired with essential
strategies, approaches, and recommended tools to limit your minimum, addressing these essential
risk and tips and links to additional resources that can help you elements.
implement such recommendations across your organization.
Take advantage of other resources that can help you build and implement your plan as well. As a Civil Society
organization, the free SOAP (“Securing Organizations with Automated Policymaking”) app can help simplify and
automate the creation of your security plan.
Also make use of free training resources like Consumer Reports’ Security Planner, the Umbrella app from Security First,
the Totem Project from Free Press Unlimited and Greenhost, and the Global Cyber Alliance Cybersecurity Toolkit for
Mission Based Organizations, which include resources on many of the best practices mentioned in this Handbook and
links to dozens of training tools to help you implement many core basics.
11
Building a
Culture of
Security
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Securing Accounts
and Devices
Security is all about people, and to protect that will build the resilience of your staff and
your organization you need to make sure organization in the face of security threats. One
that everyone involved takes cybersecurity of the simplest but most important steps to take
seriously. Changing culture is hard, but a few to build this organizational security culture is to
simple steps and important conversations can communicate about it within your organization,
go a long way towards creating an atmosphere and for leaders to always model good behavior.
Integrate Security into your Regular Operating

Structure
As is described in detail in Tactical Tech’s and facilitating a discussion on security between members of
the organization, which can help develop the idea that security
Holistic Security Guide, it is essential to create is everyone’s responsibility and not just that of a select few
regular, safe spaces to talk about the different or the “IT Team.” As you begin to formalize discussion about
aspects of security. security, staff will likely feel more comfortable discussing
these important issues amongst themselves as well in less
This way, if team members have concerns around security, they formal settings.
will be less anxious about seeming paranoid or wasteful of
other people’s time. Scheduling regular conversations about It is also important to incorporate security elements into
security also normalizes the frequency of interaction and the normal functioning of the organization, such as during
reflection on matters relating to security, so that the issues employee onboarding – and thinking about cutting off access
are not forgotten, and team members are more likely to bring to systems during off-boarding. Security should not be some
at least a passive awareness of security to their ongoing work. “extra thing” to worry about, but rather an integral part of your
It does not need to be every week, but make it a recurring strategy and operations.
reminder. These discussions should not only leave space for
topics of technical security, but also issues that impact staff Remember that all security plans should be
comfort and safety such as community conflict, online (and considered living documents, and should be re-
offline) harassment, or issues with using and implementing
digital tools. Conversations can even include topics like offline evaluated and discussed regularly, especially
information-sharing habits and the ways staff do or do not when new employees or volunteers join the
secure information outside of work. After all, it is important organization or your security context changes.
to remember that an organization’s security is only as
strong as its weakest link. One way to accomplish consistent
Plan to revisit your strategy and make updates annually,
engagement is by adding security to the agenda of a regular
or if there are major changes in strategy, tools, or the
meeting. You can also rotate the responsibility for organizing
threats you face.

Securing Accounts
and Devices
Get Organizational Buy-In
Part of a successful security culture is also through all the elements and steps of the plan so that there is
no mystery or confusion about what you are trying to achieve.
ensuring buy-in across your organization to Many donors now require grantees to maintain strong security,
your security plan. so stressing this to staff can be a good way to create deeper
organizational buy-in as well. When talking about security, avoid
Critically this must include strong, vocal support and guidance scare tactics. Sometimes the threats that your organization and
from organizational leaders who will, in many cases, be the ones staff face can be scary, but try to focus on sharing facts and
making the final decision to allocate time, resources, and energy creating a calm space for questions and concerns. Making the
towards developing and implementing an effective security dangers seem too threatening can cause people to dismiss you
plan. If they do not take it seriously, no one else will. To achieve as sensationalist or simply give up, thinking nothing they do
this buy-in across the organization, think carefully about when matters – and nothing could be further from the truth.
and how to introduce your plan, do so in a clear manner, make
sure leadership reinforces the messages, and walk everyone
Establish a Training Plan
Once you have developed and committed to upon varying levels of familiarity with digital tools and the
internet. A fear of failure only further disincentivizes staff
a plan, think about how you will train all staff from reporting problems or seeking help. However, creating
(and volunteers) on these new best practices. positive accountability and rewards for successful training
and adoption of policies can help incentivize improvement
Requiring regular training - and making attendance of training across the organization. You may find additional valuable
mandatory and an evaluation point for staff performance support through local or international digital security training
reviews - can be a helpful tactic. Avoid creating harsh, networks and free training resources such as the Umbrella
negative consequences for staff who struggle with security app from Security First, the Totem Project from Free Press
concepts. Keep in mind that certain staff may adapt to Unlimited and Greenhost, and the Global Cyber Alliance
and learn about technology differently than others based Learning Portal.
Securing Accounts
and Devices
Building a Culture of Security
o Schedule regular conversations and trainings about security and your security plan.
o Get everyone involved - distribute responsibility for implementing your security
plan across the entire organization.
o Ensure leadership models good security behavior and a commitment to your plan.
o Avoid fear tactics or punishment - reward improvement and create a comfortable
space for staff to report problems and seek help.
o Update your security plan annually or after major changes in the organization.

A Strong
Foundation:
Securing
Accounts and
Devices
Securing Accounts
and Devices
Securing Accounts
and Devices
Why the focus on accounts and devices? matter how secure your messaging apps are. Or if an adversary
Because they form the foundation of everything gains access to your organization’s social media accounts, they
could easily harm your reputation and credibility, undermining
that your organization does digitally. the success of your work. Therefore it is essential as an
organization to ensure that everyone is taking some simple
You almost certainly access sensitive information, but effective steps to keep their devices and accounts secure.
communicate internally and externally, and save private It is important to note that these recommendations include
information on them. If they are not secure, then all these personal accounts and devices as well, as those are often easy
things and more can be put at risk. For example, if hackers targets for adversaries. Hackers will gladly go after the easiest
are watching your keystrokes or listening to your microphone, target and break into a personal account or home computer if
private conversations with colleagues will be captured no your team is using them to communicate and access important
information.
Secure Accounts and Civil Society
The widely publicized SolarWinds hack revealed in Facebook in 2020. According to their report, hacking
late 2020, which compromised over 250 organizations, groups in Bangladesh targeted the accounts of local civil
including most United States government departments, society activists, journalists, and religious minorities.
technology vendors like Microsoft and Cisco, and NGOs Unfortunately the hackers were able to successfully
was partly a result of hackers guessing poor passwords compromise some of these Facebook accounts, including
that were used on important administrator accounts. an administrator for a local group’s Facebook Page. With
Overall, about 80 percent of all hacking-related breaches access to the admin account, the hackers removed the
occur because of weak or reused passwords. remaining admins and took over and disabled the page,
preventing the group from sharing key information
With the increasing prevalence of password breaches and communicating to their audience. Facebook’s
like this and easier access for all kinds of adversaries investigation discovered that the accounts were likely
to sophisticated password hacking tools, password best compromised through various means, including abuse of
practices and two-factor authentication are a security its account recovery process. If all the accounts had been
must-haves for civil society organizations. One example using two-factor authentication, such attacks would have
of civil society accounts under attack was reported by been much more difficult for the hackers to effectively
execute.
1
Securing Accounts
and Devices
Secure Accounts: Passwords and Two-Factor

Authentication
In today’s world it is likely that your Think about the different accounts that individual staff and
the organization as a whole may have: email, chat apps, social
organization and its staff have dozens if not media, online banking, cloud data storage, as well as clothing
hundreds of accounts that, if breached, could stores, the local restaurants, newspapers, and many other
expose sensitive information or even get at-risk website or app that you log into. Good security in today’s world
requires a diligent approach to protecting all of these accounts
individuals hurt. from attacks. That starts with ensuring good password hygiene
and the use of two-factor authentication throughout the entire
organization.
WHAT MAKES A GOOD PASSWORD?

There are three keys to a good, strong password: length, randomness, and uniqueness.
The longer the password is, the harder it is for an adversary to guess it.
Most password hacks are done by computer programs these days, and it
LENGTH does not take those nefarious programs long to crack a short password.
As a result, it is essential that your passwords are at minimum 16
characters, or at least five words, and preferably longer.
Even if a password is long, it is not very good if it is something that an

adversary can easily guess about you. Avoid including information like
RANDOMNESS your birthday, hometown, favorite activities, or other facts that someone
could find out about you from a quick internet search.
Perhaps the most common password “worst practice” is using the same
password for multiple sites. Repeating passwords is a big problem because
it means that when just one of those accounts is compromised, any other
accounts using that same password are vulnerable too. If you use the same
UNIQUENESS passphrase on multiple sites, it can greatly increase the impact of one
mistake or data breach. While you may not care about your password for
the local library, if it is hacked and you use the same password on a more
sensitive account, important information could be stolen.
Securing Accounts
and Devices
One easy way to achieve these goals of length, randomness, and uniqueness is picking three or four common but
random words. For example, your password could be “flower lamp green bear” which is easy to remember but hard to
guess. You can take a look at this website from Better Buys to see an estimate of just how quickly bad passwords can
be cracked.
USE A PASSWORD MANAGER Why do we need to use something new?

Can we not just write them down on paper
TO HELP or in a spreadsheet on the computer?
So you know it is important for everyone in the organization Unfortunately, there are many common approaches to managing
to use a long, random, and different password for each of passwords that are not secure. Storing passwords on sheets of
their personal and organizational accounts, but how do you paper (unless you keep them locked away in a safe) can expose
actually do that? Memorizing a good password for dozens (if them to physical theft, prying eyes, and easy loss and damage.
not hundreds) of accounts is impossible, so everyone has to Saving passwords on a document on your computer makes it
cheat. The wrong way to do it is to reuse passwords. Luckily, we much easier for a hacker to gain access – or for someone who
can turn to digital password managers to make our lives much steals your computer to not only have your device but also
easier (and our password practices much safer) instead. These access to all of your accounts. Using a good password manager
applications, many of which can be accessed via computer or is just as easy as that document, but far more secure.
mobile device, can create, store, and manage passwords for
you and your entire organization. Adopting a secure password
manager means that you will only ever have to remember
Why should we trust a password
one very strong, long password called the primary password manager?
(historically referred to as a “master” password), while being able
to get the security benefits of using good, unique passwords Quality password managers go to extraordinary lengths (and
across all of your accounts. You will use this primary password employ excellent security teams) to keep their systems secure.
(and ideally a second factor of authentication (2FA), which Good password management apps (a few are recommended
will be discussed in the next section) to open your password below) are also set up so that they do not have the ability to
manager and unlock access to all your other passwords. “unlock” your accounts. This means that in most cases, even if
Password managers can also be shared across multiple they were hacked or legally compelled to hand over information,
accounts to facilitate secure password sharing throughout the they would not be able to lose or give up your passwords. It is
organization. also important to remember that it is infinitely more likely that
an adversary guesses one of your weak or repeated passwords,
or finds one in a public data breach, than that a good password
manager would have its security systems broken. It is important
to be skeptical, and you definitely should not blindly trust all
software and applications, but reputable password managers
have all the right incentives to do the right thing.

Securing Accounts
and Devices
Instead of using your browser (such as Chrome, shown at left) to save your passwords, use a dedicated password
manager (like Bitwarden, shown at right). Password managers have features that make life both more secure and
convenient for your organization.
a dedicated password manager so useful and beneficial to

What about storing passwords in the
your organization’s security. Password managers also include
browser? organization-specific features (such as password sharing) that
provide not just individual security value, but value to your
Saving passwords in your browser is not the same as using a organization as a whole. If you have been saving passwords
secure password manager. In short, you should not use Chrome, with your browser (intentionally or unintentionally), take a
Firefox, Safari or any other browser as your password manager. moment to remove them.
Although it is definitely an improvement over writing them on
paper or saving them in a spreadsheet, the basic password-
saving features of your web browser leave something to be
desired from a security perspective. These shortcomings also What password manager should we use?
rob you of much of the convenience that a good password
manager brings. Losing this convenience makes it more likely Many good password management tools exist that can be
that people across your organization will continue poor set-up in less than 30 minutes. If you are looking for a trusted
password creation and sharing practices. online option for your organization that people can access
from multiple devices at any time, 1Password (starts at $2.99
For example, unlike dedicated password managers, browsers’ USD per user per month) or the free, open-source Bitwarden
built-in “save this password” or “remember this password” are both well supported and recommended. An online option
features do not provide simple mobile compatibility, cross- like Bitwarden can be great for both security and convenience.
browser functionality, and strong password generation and Bitwarden, for example, will help you create strong unique
auditing tools. These features are a big part of what makes passwords and access passwords from multiple devices through
Securing Accounts
and Devices
browser extensions and a mobile app. With the paid version

What if someone forgets their primary
($10 USD for a full year) Bitwarden also provides reports on
reused, weak, and possibly breached passwords to help you password?
stay on top of things. Once you set up your primary password
(referred to as a master password), you should also turn on two- It is essential to remember your primary password. Good
factor authentication to keep your password manager’s vault as password management systems like the ones recommended
secure as possible. above will not remember your primary password for you or
allow you to reset it directly via email the way you might be
It is essential to practice good security when using your able to for websites. This is a good security feature, but also
password manager too. For instance, if you use your password makes it essential to commit your primary password to memory
manager’s browser extension or log in to Bitwarden (or any when you first set up your password manager. To help with
other password manager) on a device, remember to log out after this, consider setting up a daily reminder to recall your primary
use if you are sharing that device or believe that you might be password when you first create a password manager account.
at heightened risk of physical device theft. This includes logging
out from your password manager if you leave a computer or
mobile device unattended. If sharing passwords across your
organization, also be sure to revoke access to passwords (and
change the passwords themselves) when people leave the
organization. You do not want a former employee to keep access
to your organization’s Facebook password, for example.
Using a password manager for Your Organization
You can strengthen your entire organization’s password for staff. You can securely share credentials within the
practices and ensure all individual staff have access to password manager itself to different user accounts.
(and use) a password manager by implementing one And Bitwarden, for example, also provides a convenient
across the entire organization. Instead of having each end-to-end encrypted text and file sharing feature called
individual staff member set up their own, consider “ Bitwarden Send” within its team plan. Both of these
investing in a “team” or “business” plan. For example, features give your organization more control over who
Bitwarden’s “teams organization” plan costs $3USD can see and share which passwords, and provides a more
per user per month. With it (or other team plans from secure option for sharing credentials for team-wide or
password managers like 1Password), you have the ability group accounts. If you do set up an organization-wide
to manage all shared passwords across the organization. password manager, be sure that someone is specifically
The features of an organization-wide password manager in charge of removing staff accounts and changing any
not only provide greater security but also convenience shared passwords when someone leaves the team.

Securing Accounts
and Devices
WHAT IS TWO-FACTOR HOW CAN WE SET UP 2FA?

AUTHENTICATION? There are three common methods for 2FA: security keys,
authentication apps, and one-time SMS codes.
However good your password hygiene, it is all too common for
hackers to get around passwords. Keeping your accounts secure
from some common threat actors in today’s world requires
Security Keys
another layer of protection. That is where multi-factor or two-
Security keys are the best option, in part because they are
factor authentication comes into play – referred to as MFA or
almost completely phishing-proof. These “keys” are hardware
2FA. There are many great guides and resources explaining
tokens (think mini USB drives) that can attach to your keychain
two-factor authentication, including Martin Shelton’s Two-
(or stay in your computer) for easy access and safekeeping.
Factor Authentication for Beginners article and the Center
When it is time to use the key to unlock a given account, you
for Democracy & Technology’s Election Cybersecurity 101
simply insert it into your device and physically tap it when
Field Guide. This section borrows heavily from both of those
prompted during login. There are a wide range of models
resources to help explain why 2FA is so important to implement
that you can purchase online ($20-50 USD), including highly
across your organization. In short, 2FA strengthens account
regarded YubiKeys. The New York Times’ Wirecutter has a
security by requiring a second piece of information – something
helpful guide with some recommendations for which keys to
more than just a password – to gain access. The second piece
purchase. Keep in mind that the same security key can be used
of information is usually something that you have, like a code
for as many accounts as you would like. While security keys
from an app on your phone or a physical token or key. This
are on the expensive side for many organizations, initiatives
second piece of information acts as a second layer of defense. If
such as Google’s Advanced Protection Program or Microsoft’s
a hacker steals your password or gains access to it via a dump
AccountGuard provide these keys for free to some qualifying
of passwords from a major data breach, effective 2FA can keep
at-risk groups. Contact the people who gave you the Handbook
them from accessing your account (and therefore away from
to see if they can connect you to such programs or contact
private and sensitive information). Ensuring that everyone in
cyberhandbook@ndi.org.
the organization puts 2FA in place on their accounts is critically
important.
Securing Accounts
and Devices
Authentication Apps Codes Via SMS

The second-best option for 2FA is authentication apps. These The least secure but unfortunately still most common
services allow you to receive a temporary two-factor login form of 2FA are codes sent via SMS. Because SMS can be
code through a mobile app or push notification on your intercepted and phone numbers can be spoofed or hacked
smartphone. Some popular and trusted options include Google via your mobile carrier, SMS leaves a lot to be desired as a
Authenticator, Authy, and Duo Mobile. Authenticator apps are method for requesting 2FA codes. It is better than only using
also great because they work when you do not have access a password, but authenticator apps or a physical security key
to your cellular network and are free to use for individuals. are recommended when at all possible. A determined adversary
However, authenticator apps are more susceptible to phishing can get access to SMS 2FA codes, usually just by calling the
than security keys because users can be tricked into entering phone company and swapping your SIM card. When you are
security codes from an authentication app into a fake website. ready to start enabling 2FA for all of your organization’s various
Take care to only enter login codes on legitimate websites. And accounts, make use of this website (https://2fa.directory/) to
do not “accept” login push notifications unless you are sure that quickly look up information and instructions for specific services
you are the one who made the login request. It is also essential (like Gmail, Office 365, Facebook, Twitter, etc.) and to see which
when using an authenticator app to be prepared with backup services allow for which types of 2FA.
codes (discussed below) in case your phone is lost or stolen.
2FA and Civil Society
According to a recent Amnesty International report,

hackers targeting human rights defenders in Uzbekistan
used phishing attacks to trick users into sharing
passwords *and* two factor authentication codes to their
email accounts via fake Gmail login pages. Such attacks
are an increasingly common way to “bypass” two factor
authentication. It is important - even with 2FA in place
- to be careful about where you type your codes. Better
yet, you can eliminate this risk by adopting physical
security keys.

Securing Accounts
and Devices
WHAT IF SOMEONE LOSES A

Security Keys in the Real 2FA DEVICE?
World
If using a security key, treat it the same way you would treat a key
By providing physical security keys for two factor for your house or apartment, if you have one. In short, do not lose
authentication to all 85,000+ of its employees, it. Just like your house keys though, it is always a good idea to have
Google (a very high risk, highly targeted a backup key registered to your account that stays locked away in
organization) effectively eliminated any successful a safe place (like a safe at home or a safe deposit box) just in case
phishing attacks against the organization. This of loss or theft. Alternatively you should create backup codes for
case shows just how effective security keys can be accounts that allow it. You should keep these codes saved in a very
for even the most at-risk organizations. secure place, like your password manager or a physical safe. Such
backup codes can be generated within most sites’ 2FA settings
(the same place where you enable 2FA in the first place), and can
act as a backup key in case of emergency. The most common 2FA
mishap occurs when people replace or lose phones which they use
for authentication apps. If using Google Authenticator, you are out
of luck if your phone is stolen, unless you save the backup codes
that are generated at the time you connect an account to Google
Authenticator. Therefore, if you are using Google Authenticator as
a 2FA app, be sure to save the backup codes for all accounts that
you connect in a secure place. If using Authy or Duo, both apps
have built-in backup features with strong security settings that you
can enable. If you choose either of those apps, you can configure
those backup options in case of device breakage, loss, or theft. See
Authy’s instructions here, and Duo’s here. Be sure that everyone in
your organization is aware of these steps as they start to enable
2FA across all of their accounts.
Enforcing 2FA Across Your Organization
If your organization provides email accounts to all staff follow these instructions to enforce 2FA for your domain.
through Google Workspace (formerly known as GSuite) or You can do something similar in Microsoft 365 following
Microsoft 365 using your own domain (for example, @ these steps as a domain admin.
ndi.org), you can enforce 2FA and strong security settings
for all accounts. Such enforcement not only helps protect Consider also enrolling your organization’s accounts
these accounts, but it also acts as a way to introduce in the Advanced Protection Program (Google) or
and normalize 2FA to your staff so that they are more AccountGuard (Microsoft) to enforce additional security
comfortable with adopting it for personal accounts controls and require physical security keys for two-factor
as well. As a Google Workspace administrator, you can authentication.
Securing Accounts
and Devices
Secure Accounts
o Require strong passwords for all organizational accounts; encourage the same for
staff and volunteer’s personal accounts.
o Implement a trusted password manager for the organization (and encourage use in
staff’s personal lives as well).
• Require a strong primary password and 2FA for all password manager accounts.
• Remind everyone to log out of a password manager on shared devices or when at
heightened risk of device theft or confiscation.
o Change shared passwords when staff leave the organization.
o Only share passwords securely, such as through your organization’s password
manager or end-to-end encrypted apps.
o Require 2FA on all organizational accounts, and encourage staff to setup 2FA on all
personal accounts as well.
• If possible, provide physical security keys to all staff.
• If security keys are not in your budget, encourage the use of authenticator apps
instead of SMS or phone calls for 2FA.
o Hold regular training to ensure staff are aware of password and 2FA best practices,
including what makes a strong password and the importance of never reusing
passwords, only accepting legitimate 2FA requests, and generating backup 2FA
codes.

Securing Accounts
and Devices
Secure Devices
In addition to accounts, it is essential to keep requires Chinese companies to provide data to the central
government. Therefore, despite the ubiquitous and inexpensive
all devices – computers, phones, USBs, external presence of smartphones like Huawei or ZTE, they should be
hard drives, etc. – well protected. avoided. Although the cost of cheap hardware can be very
attractive to an organization, the potential security risks for
Such protection starts with being careful about what type organizations advocating for democracy, human rights, or
of devices your organization and staff purchase and use. accountability should steer you towards other device options,
Any vendors or manufacturers that you select should have a as this access to data has helped facilitate the Chinese
demonstrated track record of adhering to global standards government and other governments’ targeting of certain
regarding the secure development of hardware devices (like individuals and communities. Your adversaries can compromise
phones and computers). Any devices you procure should be the security of your devices - and everything you do from those
manufactured by trusted companies that do not have an devices - by either gaining physical access or “remote” access to
incentive to hand over data and information to a potential your device.
adversary. It is important to note that the Chinese government
Device Security and Civil Society
Some of the world’s most advanced malware has been discontinued file sharing program). For those targets
developed and deployed across the globe to target civil who opened the files, their devices became infected with
society organizations and human rights defenders. In software that recorded audio, intercepted keystrokes and
India, for example, Amnesty International reported that messages, and in effect put them under full surveillance
at least nine human rights defenders were targeted in of the attackers. Such attacks, which are frequently aimed
2020 with spyware (a type of malicious software) on at civil society groups and their individual staff, are an
their mobile devices and computers. The spyware was unfortunately common way for attackers to gain “remote”
delivered through a series of phishing emails with links access to a device.
to infected files shared through Firefox Send (a since
Securing Accounts
and Devices
PHYSICAL DEVICE ACCESS What about device encryption?
THROUGH LOSS OR THEFT It is important to use encryption, scrambling data so that it is

unreadable and unusable, on all devices, especially computers
and smartphones. You should set up all devices across your
To prevent physical compromise, it is essential to keep your
organization with something called full-disk encryption if
devices physically secure. In short, do not make it easy for an
possible. Full-disk encryption means that the entirety of
adversary to steal or even temporarily take your device from
a device is encrypted so that an adversary, if they were to
you. Keep devices locked away if left at home or in an office. Or
physically steal it, would be unable to extract a device’s
if you think it is safer, keep them on your person. This of course
contents without knowing the password or key you used to
means that part of device security is the physical security of
encrypt it. Many modern smartphones and computers offer
your workspaces (whether in an office setting or at home). You
full-disk encryption. Apple devices like iPhones and iPads,
will need to install strong locks, security cameras, or other
quite conveniently, turn on full-disk encryption when you set a
monitoring systems - especially if your organization is at high
normal device passcode. Apple computers using macOS provide
risk. Remind staff to treat devices the same way they would
a feature called FileVault that you can turn on for full-disk
treat a large stack of cash - do not leave them lying around
encryption.Windows computers running pro, enterprise, or
unattended or unprotected.
education licenses offer a feature called BitLocker that you can
turn on for full-disk encryption. You can turn on BitLocker by
What if a device is stolen? following these instructions from Microsoft, which may have to
first be enabled by your organization’s administrator. If staff only
To limit the impact if someone does manage to steal a device have a home license for their Windows computers, BitLocker is
– or even if they just gain access to it for a short period of not available. However, they can still turn on full-disk encryption
time – be sure to mandate the use of strong passwords or by going to ‘Update & Security’ > ‘Device encryption’ under the
passcodes on everyone’s computers and phones. The same Windows OS settings.
password tips from the Passwords section of this Handbook
apply to a good password for a computer or laptop. When it Android devices, as of version 9.0 and later, ship with file-based
comes to locking your phone, use codes that are at least six encryption turned on by default. Android’s file-based encryption
to eight digits, and avoid using “swipe patterns” to unlock the operates differently from full-disk encryption but still provides
screen. For additional tips on screen locks, check out Tactical strong security. If you are using a relatively new Android phone
Tech’s Data Detox Kit. Using good device passwords makes it and have set a passcode, file-based encryption should be
much harder for an adversary to quickly access information enabled. However, it is a good idea to check your settings just
on your device in the case of theft or confiscation. With a to make sure, especially if your phone is more than a couple of
strong passcode in place, activating Face ID or fingerprint years old. To check, go to Settings > Security on your Android
unlock can be fine, but be sure to deactivate it (while leaving device. Within the security settings, you should see a subsection
your strong passcode in place) before any high-risk activities for “encryption” or “encryption and credentials”, which will
such as protests or border crossings if you and your staff are indicate if your phone is encrypted and, if not, allow you to turn
concerned about device confiscation from authorities. If any encryption on.
devices issued by the organization have a “Find my Device”
feature, such as iPhone’s Find My iPhone and Android’s Find My For computers (whether Windows or Mac), it is particularly
Device, consider requiring staff to activate it. Encourage staff important to store any encryption keys (referred to as recovery
to use these features on personal devices as well. With these keys) in a safe place. These “recovery keys” are, in most cases,
features turned on, the device owner (or a trusted contact) can essentially long passwords or passphrases. In case you forget
locate the device or remotely wipe its contents should it be your normal device password or something unexpected
stolen, lost, or confiscated. For iPhones, you can also configure happens (such as device failure), recovery keys are the only way
the device to auto-wipe after several failed login attempts. Such to recover your encrypted data and, if necessary, move it to a
device management features become critically important for an new device. Therefore, when turning on full-disk encryption,
organization when a device with sensitive information is lost or be sure to save these keys or passwords in a safe place, like a
gets into the wrong hands. secured cloud account or your organization’s password manager.

Securing Accounts
and Devices
come with built-in anti-malware software, nor do Android and

REMOTE DEVICE ACCESS – iOS devices. You can install a reputable, free-to-use tool like
Bitdefender or Malwarebytes for those devices (and Windows
ALSO KNOWN AS HACKING computers as well). But do not rely on that as your only line of
defense as they will certainly miss some of the most targeted,
In addition to keeping devices physically secure, it is important dangerous new attacks.
to keep them free from malware. Tactical Tech’s
Security-in-a-Box gives a helpful description of what malware is Additionally, be very careful to only download reputable anti-
and why it is important to avoid, which is adapted malware or anti-virus tools from legitimate sources (such
slightly in the rest of this section. as the websites linked above). Unfortunately, many fake or
compromised versions of anti-malware tools exist that do much
more harm than good.
Understanding and avoiding malware
To the extent that you do use Bitdefender or another anti-
There are many ways to classify malware (which is a term
malware tool across your organization, be sure not to run two of
meaning malicious software). Viruses, spyware, worms, trojans,
them at the same time. Many of them will identify the behavior
rootkits, ransomware and cryptojackers are all types of malware.
of another anti-malware program as suspicious and stop it
Some types of malware spread over the internet through email,
from running, leaving both malfunctioning. Bitdefender or other
text messages, malicious web pages, and other means. Some
reputable anti-malware programs can be updated for free, and
spread through devices like USB memory sticks that are used to
the built-in Windows Defender receives updates along with
exchange and steal data. And, while some malware requires an
your computer. Ensure that your anti-malware software updates
unsuspecting target to make a mistake, others can silently infect
itself regularly (some trial versions of commercial software
vulnerable systems without you doing anything wrong at all.
that ship with a computer will be disabled after the trial period
expires, leaving it more dangerous than helpful.) New malware
In addition to general malware, which is released widely and
is written and distributed every day, and your computer will
aimed at the general public, targeted malware is typically used
quickly become even more vulnerable if you do not keep up
to interfere with or spy on a particular individual, organization,
with new malware definitions and anti-malware techniques. If
or network. Regular criminals use these techniques, but so do
possible, you should configure your software to install updates
military and intelligence services, terrorists, online harassers,
automatically. If your anti-malware tool has an optional “always
abusive spouses, and shady political actors.
on” feature, you should enable it, and consider occasionally
scanning all of the files on your computer.
Whatever they are called, however they are distributed,
malware can ruin computers, steal and destroy data, bankrupt
organizations, invade privacy, and put users at risk. In short,
Keep devices up to date
malware is really dangerous. However, there are some simple
steps that your organization can take to protect itself against
Updates are essential. Use the latest version of whatever
this common threat.
operating system runs on a device (Windows, Mac, Android, iOS,
etc), and keep that operating system up to date. Keep other
Will an anti-malware tool protect us? software, browser, and an+y browser plugins up to date as well.
Install updates as soon as they become available, ideally by
Anti-malware tools are unfortunately not a complete solution. turning on automatic updates. The more up to date a device’s
However, it is a very good idea to use some basic, free tools as operating system, the less vulnerabilities you have. Think of
a baseline. Malware changes so quickly, with new risks in the updates kind of like putting a band-aid on an open cut: it seals
real world so frequently, that relying on any such tool cannot be up a vulnerability and greatly reduces the chance that you
your only defense. will get infected. Also uninstall software that you no longer
use. Outdated software often has security issues, and you may
If you are using Windows, you should have a look at the have installed a tool that is no longer being updated by the
built-in Windows Defender. Macs and Linux computers do not developer, leaving it more vulnerable to hackers.
Securing Accounts
and Devices
Be smart while browsing
Malware in the Real World: Never accept and run applications that come from websites
you do not know and trust. Rather than accepting an “update”
Updates Are Essential offered in a pop-up browser window, for example, check
for updates on the relevant application’s official website.
In 2017, the WannaCry ransomware attacks As discussed in the Phishing Section of the Handbook, it is
infected millions of devices around the world, essential to stay alert when browsing websites. Check the
shutting down hospitals, government entities, destination of a link (by hovering over it) before you click, and
large and small organizations and businesses glance at the website address after you follow a link and make
in dozens of countries. Why was the attack so sure it looks appropriate before entering sensitive information
effective? Because of out of date, “unpatched” like your password. Do not click through error messages
Windows operating systems, many of which were or warnings, and watch for browser windows that appear
initially pirated. Much of the damage – human automatically and read them carefully instead of just clicking
and financial – could have been avoided with Yes or OK.
better automated updating practices and the use
of legitimate operating systems.
What about smartphones?
As with computers, keep your phone’s operating system and
applications up to date, and turn on automatic updates. Install
only from official or trusted sources like Google’s Play Store and
Apple’s App Store (or F-droid, a free, open-source app store for
Android). Apps can have malware inserted into them and still
appear to work normally, so you will not always know if one
is malicious. Be sure that you are downloading the legitimate
version of an app as well. Especially on Androids, “fake” versions
of popular applications exist. So be sure an app is created by
the proper company or developer, has good reviews, and has the
expected number of downloads (for example, a fake version of
Be careful about USBs WhatsApp might only have a few thousand downloads, but the
real version has over 5 billion). Pay attention to the permissions
Be cautious when opening files that are sent to you as
that your apps request. If they seem excessive (like a calculator
attachments, through download links, or by any other means.
requiring access to your camera or Angry Birds asking for access
Also think twice before inserting removable media like USB
to your location, for example) deny the request or uninstall the
sticks, flash memory cards, DVDs and CDs into your computer,
app. Uninstalling apps that you no longer use can also help
as they can be a vector for malware. USBs that have been
protect your smartphone or tablet. Developers sometimes sell
shared for a while are very likely to have viruses on them.
ownership of their apps to other people. These new owners may
For alternative options to share files securely across your
try to make money by adding malicious code.
organization, take a look at the File Sharing Section of the
Handbook.
Be cautious as well about what other devices you connect

to through Bluetooth. It is fine to sync up your phone or
computer to a known and trusted Bluetooth speaker to play
your favorite music, but be careful about linking to or accepting
requests from any devices that you do not recognize. Only
allow connections to trusted devices and remember to turn off
Bluetooth when it is not in use.

Securing Accounts
and Devices
Malware in the Real World: Malicious Mobile Apps

Hackers in multiple countries have been using fake about local churches. Once installed by unwitting
applications in the Google Play store to distribute Android users, the malicious applications collected call
malware for years. One particular case targeted at users logs, location data, and information about contacts and
in Vietnam came to light in April 2020. This spying text messages. This is just one of many reasons to be
campaign used fake applications, which supposedly careful about what apps you download to your devices.
helped users find nearby pubs or look up information
Save money and increase device security

with Tails for your Organization
One very secure option which requires a bit of technical you to start with a clean slate each time you restart
skill to set up is the Tails operating system. This portable your computer. Tails also has a persistence mode, which
operating system is free to use and you can boot it allows you to save important files and settings across
up straight from a USB, bypassing the need to rely on multiple sessions if desired.
licensed Windows or Mac operating systems. Tails is
also a good option for those at extremely high risk, Another option for a free, secure operating system
as it incorporates a wide range of privacy-enhancing is Qubes OS. While not the simplest option for non-
features. These features include the integration of Tor technical users, Qubes is designed to limit the threat
(discussed below) to secure your web traffic, and the of malware and is another option to consider for more
complete erasure of memory every time you shut down advanced and high-risk users in your organization,
the operating system. These features essentially allow especially if licensing costs are a challenge.
Securing Accounts
and Devices
What if we cannot afford legal software?

It can be expensive to purchase licensed versions of popular desktop applications at all - the free in-browser document
software like Microsoft Office (Word, Powerpoint, Excel) for and spreadsheet editors are more than enough for almost any
your entire organization, but a limited budget is not an excuse use. Another option, if you have staff with the technical skills,
to download pirated versions of software or fail to keep them is to install a free Linux-based operating system (an open
up to date. This is not a matter of morality – it is a matter of source alternative to Windows and Mac operating systems) on
security. Pirated software frequently is filled with malware and each computer. One popular, fairly user-friendly Linux option
often cannot be patched for security holes. If you cannot afford is Ubuntu. Regardless of what operating system you choose,
the software your organization needs, there is a wide range of make sure that someone in the organization is responsible for
great free, open source software like LibreOffice (a replacement regularly checking in with staff to ensure they have applied the
for standard Microsoft Office apps) or GIMP (a replacement for latest updates.
photoshop) that can serve your needs. Also consider registering
through Tech Soup, an organization that offers steep discounts When deciding on a new tool or system, consider how your
on popular software for nonprofits. Even if you can afford organization can support it technically and financially over
legitimate software and apps, your device is still at risk if the long term. Ask yourself questions like: Can you afford and
the underlying operating system is not legitimate. So if your retain the staff needed to securely maintain it? Can you pay for
organization cannot afford Windows licenses, consider cheaper recurring subscriptions? Do you have access to discounts from
alternatives like Chromebooks, which are a great, easy-to-secure groups like the aforementioned Tech Soup? Answering these
option if your organization works mostly in the cloud. If you questions can help ensure your software and tech strategies
are using Google Docs or Microsoft 365, you do not need many will be more successful over time.
Keeping Devices Secure
o Train staff on the risks of malware and the best practices to avoid it.
• Provide policies about connecting external devices, clicking on links, downloading
files and apps, and checking software and app permissions.
o Mandate that devices, software, and applications are kept fully updated.
• Turn on automatic updates where possible.
o Ensure all devices are using licensed software.
• If the cost is prohibitive, switch to a no-cost alternative.
o Require password protection of all organizational devices, including personal
mobile devices which are used for work-related communications.
o Enable full-disk encryption on devices.
o Frequently remind staff to keep their devices physically secure - and manage your
office security with appropriate locks and ways to secure computers.
o Do not share files using USBs or plug USBs into your computers.
• Use alternative secure file sharing options instead.

Securing Accounts
and Devices
Phishing: A Common Threat to Devices and

Accounts
Phishing is the most common and effective messaging apps like WhatsApp, social media messages or posts,
or phone calls (often referred to as voice phishing or “vishing”).
attack on organizations around the world. The The phishing messages may try to get you to type sensitive
technique is used by the most sophisticated information (like passwords) into a fake website in order to
nation-state militaries as well as petty gain access to an account, ask you to share private information
(like a credit card number) via voice or text, or convince you to
fraudsters. download malware (malicious software) that can infect your
device. For a non-technical example, every day millions of
Phishing, put simply, is where an adversary attempts to trick people get fake automated phone calls telling them that their
you into sharing information that could be used against you bank account was compromised or that their identity has been
or your organization. Phishing can happen via emails, text stolen - all of which are designed to trick the unaware into
messages/SMS (often referred to as SMS phishing or “smishing”), sharing sensitive information.
Phishing can sound sinister and impossible to catch, but there

HOW CAN WE IDENTIFY are some simple steps that everyone in your organization can
take to protect against the majority of attacks. The following
PHISHING? phishing defense tips are modified and extended from the in-
depth phishing guide developed by the Freedom of the Press
Foundation, and should be shared with your organization (and
other contacts) and integrated into your security plan:
Securing Accounts
and Devices
Sometimes, the “from” field is lying to you

Be aware that the “from” field in your emails can be faked an impersonator who set up “johm@gmail.com” - the only
or forged to trick you. It is common for phishers to set up an difference being a subtle change of letters at the end. Always
email address that looks a lot like a legitimate one that you are be sure to double-check that you know the sending address
familiar with, misspelled just a bit to trick you. For example, you of an email before proceeding. A similar concept applies to
may receive an email from someone with the address “john@ phishing via text, calls, or messaging apps. If you get a message
gooogle.com” as opposed to “john@google.com”. Notice the from an unknown number, think twice before responding to or
extra Os in google. You may also know someone with an email interacting with the message.
address “john@gmail.com”, but receive a phishing email from
Phishing and Civil Society
Sophisticated, personalized phishing attacks target civil fake Google email login page (shown in middle) that
society groups around the world every day. was used to steal account credentials. If victims provided
credentials to the fake page, their accounts would be
One example of such an attack is highlighted in The easily compromised. After providing their username and
Citizen Lab’s 2018 report, Spying on a Budget: Inside password to the fake site, victims would be redirected
a Phishing Operation with Targets in the Tibetan to an image (shown at right) that shows delegates in a
Community. This very inexpensive and simple - yet Tibetan meeting. The image was included as a decoy
incredibly effective - phishing attack was aimed at to make the phishing targets believe they had actually
Tibetan human rights defenders and other activists. The signed in to their real Google account and reduce any
attack started with a phishing email (shown at left) from possible suspicions about the true malicious nature of
a standard Gmail address that contained only an image the email.
file link. When clicked, the link brought the target to a

Securing Accounts
and Devices
Beware of attachments
Attachments can carry malware and viruses, and commonly onto your computer. This works well for word documents, PDFs,
accompany phishing emails. The best way to avoid malware and even slideshow presentations. If you need to edit the
from attachments is to never download them. As a rule, do not document, consider opening the file in a cloud program like
open any attachments immediately, especially if they come Google Drive and converting the file to a Google Doc or Google
from people you do not know. If possible, ask the person that Slides.
sent you the document to copy-paste the text in an email or to
share the document via a service like Google Drive or Microsoft If you use Outlook, you can similarly preview attachments
OneDrive, which have built-in virus scanning of most documents without downloading them from the Outlook web client. If you
uploaded to their platforms. Build an organizational culture need to edit the attachment, consider opening it in OneDrive if
where attachments are discouraged. that’s available to you. If you use Yahoo Mail, the same concept
If you absolutely have to open the attachment, it should only applies. Do not download attachments, but rather preview them
be opened in a safe environment (see Advanced section below) from within the web browser.
where potential malware cannot be deployed to your device.
Regardless of what tools you have at your disposal, the best
If you use Gmail and receive an attachment in an email, instead approach is simply to never download attachments that you
of downloading it and opening it on your computer, simply click do not know or trust, and regardless of how important an
on the attached file and read it in “preview” within your browser. attachment might seem, never open something with a file type
This step allows you to view the text and contents of a file you do not recognize or have no intention of ever using.
without downloading it or allowing it to load possible malware
Phishing Defense for Your Organization
If your organization uses enterprise Microsoft 365 for Organizations can use this technology to block staff
email and other applications, your domain administrator from accidentally accessing or interacting with malicious
should configure the Safe Attachments policy to protect content, providing an additional layer of protection
against dangerous attachments. If using enterprise against phishing. New services like Cloudflare’s Gateway
Google Workspace (formerly known as GSuite), there provide such capabilities to organizations without
is a similarly effective option that your administrator requiring large sums of money (Gateway, for example, is
should configure called Google Security Sandbox. More free for up to 50 users). Additional free tools, including
advanced individual users can consider setting up Quad9 from the Global Cyber Alliance Toolkit, will help
sophisticated sandbox programs, such as Dangerzone or, block you from accessing known sites that have viruses
for those with the Pro or Enterprise version of Windows or other malware and can be implemented in less than
10, Windows Sandbox. Another advanced option to five minutes.
consider implementing across your organization is a
secure domain name system (DNS) filtering service.
Securing Accounts
and Devices
to log in to something, do not do it unless you are 100 percent

Click with caution
sure that the email is legitimate and is sending you to the
Be skeptical of links in emails or other text messages. Links can appropriate site. Many phishing attacks will provide links that
be disguised to download malicious files or take you to fake send you to fake login pages for Gmail, Facebook, or other
sites that might ask you to provide passwords or other sensitive popular sites. Do not fall for them. You can always open a
information. When on a computer, there is a simple trick for new browser, and go directly to a known site like Gmail.com,
making sure a link in an email or message will send you to Facebook.com, etc. yourself if you want or need to login. That
where it is supposed to: Use your mouse to hover over any link will also take you to the content, safely – if it was legitimate in
before clicking on it, and look in the bottom of your browser the first place.
window to see what the actual URL is (see image below).
It is more difficult to check links in an email on a mobile device

without accidentally clicking on them - so be careful. You can What should we do when we get a
check the destination of a link on most smartphones by long- phishing message?
pressing (holding down) on a link until the full URL pops up.
In phishing via SMS and messaging apps, shortened links are a If anyone at your organization receives an unsolicited
very common practice used to disguise the destination of a URL. attachment, link, image, or an otherwise suspicious message
If you see a short link (e.g. bit.ly or tinyurl.com) instead of the or call, it is important that they immediately report it to the
full URL, do not click on it. If the link is important, copy it into a IT security point-person in your organization. If you do not
URL expander, such as https://www.expandurl.net/, to see the have such an individual, you should identify them as part of
actual destination of a shortened URL. Furthermore, do not click developing your security plan. Staff can also report the email as
on links to websites you are unfamiliar with. If in doubt, perform spam or phishing directly in Gmail or Outlook.
a search for the site, with the site name in quotation marks (e.g.: Having a plan in place for what staff or volunteers should do
“www.badwebsite.com”) to see if it is a legitimate website. You if/when they receive a possible phishing message is crucial. In
can also run potentially suspicious links through VirusTotal’s addition, we recommend taking these phishing best practices
URL scanner. This is not 100 percent accurate, but it is a good - not clicking on suspicious links, avoiding attachments, and
precaution to take. checking the “from” address - and sharing them with others that
you work with, preferably through a widely-used communication
Finally, if you click on any link from a message and are asked channel. This illustrates that you care about the people you are
in communication with, and encourages a culture across your
networks that is alert and aware of the dangers of phishing.
Your security depends on those organizations you trust, and vice
versa. Better practices protect everyone.
In addition to sharing the tips above with all staff and
volunteers, you can also practice identifying phishing with the
Google Phishing Quiz. We also strongly recommend setting
up regular phishing training with staff to test awareness and
keep people vigilant. Such training can be formalized as part
of regular organizational meetings, or held more informally.
What is important is that everyone in the organization feels
comfortable asking questions about phishing, reporting
phishing (even if they feel they might have made a mistake such
as by clicking a link), and that everyone is empowered to help
defend your organization against this high impact and high
likelihood threat.

Securing Accounts
and Devices
Phishing
o Regularly train staff on what phishing is and how to spot it and defend against it,
including phishing on text messages, messaging apps, and phone calls, not just
email.
o Frequently remind staff of best practices such as:
• Do not download unknown or potentially suspicious attachments.
• Check the URL of a link before you click. Do not click unknown or potentially
suspicious links.
• Do not provide sensitive or private information via email, text, or phone call to
unknown or unconfirmed addresses or people.
o Encourage reporting of phishing.
• Establish a reporting mechanism and point-person for phishing within your
organization.
• Reward reporting, and do not punish failure.
Communicating
and Storing Data
Securely
Securing Accounts
and Devices
37
Securing Accounts
and Devices
Communications and Sharing Data
To make the best decisions for your One of the most important elements of communications
security relates to keeping private communications private -
organization about how to communicate, it is which in the modern era is largely taken care of by encryption.
essential to understand the different types of Without proper encryption, internal communications could be
protection that our communications can have, seen by any number of adversaries. Insecure communications
can expose sensitive or embarassing information and messages,
and why such protection is important. reveal passwords or other private data, and possibly put your
staff and organization at risk depending upon the nature of your
communications and content that you share.
Secure Communications and Civil Society
Thousands of democracy and human rights activists and report, phone recordings and other unencrypted
organizations rely on secure communication channels communications were intercepted by the government
every day to maintain the confidentiality of conversations and used in court against prominent opposition
in challenging political environments. Without such politicians and activists, many of whom spent years in
security practices, sensitive messages can be intercepted prison. In 2020, another swell of post-election protests
and used by authorities to target activists and break up in Belarus saw thousands of protestors adopt user-
protests. One prominent and well-documented example friendly, secure messaging apps that were not as readily
of this occurred in the aftermath of the 2010 elections available just ten years prior to protect their sensitive
in Belarus. As detailed in this Amnesty International communications.
Securing Accounts
and Devices
Encryption is a mathematical process used to scramble a

WHAT IS ENCRYPTION AND message or a file so that only a person or entity with the key
can “decrypt” it and read it. The Electronic Frontier Foundation’s
WHY IS IT IMPORTANT? Surveillance Self Defense Guide provides a practical
explanation (with graphics) of what encryption means:
Unencrypted Messaging
Without any encryption, everyone involved in relaying
the message, and anyone who can sneak a peak as it
goes by, can read its content. This might not matter
much if all you are saying is “hello”, but it could be a big
deal if you are communicating something more private
or sensitive that you do not want your telecom, ISP, an
unfriendly government, or any other adversary to see.
Because of this, it is essential to avoid using unencrypted
tools to send any sensitive messages (and ideally any
messages at all.) Keep in mind that some of the most
popular communication methods - such as SMS and
phone calls - practically operate without any encryption
(like in this image).
As you can see in the image above, a smartphone sends and anyone who can sneak a peek as it goes by can read its
a green, unencrypted text message (“hello”) to another content. This might not matter much if all you are saying is
smartphone on the far right. Along the way, a cellphone “hello,” but it could be a big deal if you are communicating
tower (or in the case of something sent over the internet, something more private or sensitive that you do not want
your internet service provider, known as an ISP) passes your telecom, ISP, an unfriendly government, or any other
the message along to company servers. From there it hops adversary to see. Because of this, it is essential to avoid using
through the network to another cellphone tower, which can unencrypted tools to send any sensitive messages (and ideally
see the unencrypted “hello” message, and is finally then any messages at all.) Keep in mind that some of the most
routed to the destination. It is important to note that without popular communication methods - such as SMS and phone
any encryption, everyone involved in relaying the message, calls - practically operate without any encryption (like in the
image above).

Securing Accounts
and Devices
There are two ways to encrypt data as it moves: transport-layer encryption and end-to-end encryption. The type of encryption a service
provider supports is important to know as your organization makes choices to adopt more secure communications practices and
systems. Such differences are described well by the Surveillance Self Defense Guide which is adapted again here:
Transport-layer Encryption
Transport-layer encryption, also known as transport layer
security (TLS), protects messages as they travel from your
device to the messaging app/service’s servers and from
there to your recipient’s device. This protects them from
the prying eyes of hackers sitting on your network or
your internet or telecommunications service providers.
However, in the middle, your messaging/email service
provider, the website you are browsing, or the app you
are using can see unencrypted copies of your messages.
Because your messages can be seen by (and are often
stored on) company servers, they may be vulnerable
to law enforcement requests or theft if the company’s
servers are compromised.
The image above shows an example of transport-layer are able to decrypt the message, read the contents, decide where
encryption. On the left, a smartphone sends a green, unencrypted to send it, re-encrypt it, and send it along to the next cellphone
message: “Hello.” That message is encrypted and then passed tower towards its destination. At the end, the other smartphone
along to a cellphone tower. In the middle, the company servers receives the encrypted message, and decrypts it to read “Hello.”
End-to-End Encryption
End-to-end encryption protects messages in transit
all the way from sender to receiver. It ensures that
information is turned into a secret message by its
original sender (the first “end”) and decoded only by
its final recipient (the second “end”). No one, including
the app or service you are using, can “listen in” and
eavesdrop on your activity.
The image above shows an example of end-to-end encryption. smartphone receives the encrypted message, and decrypts
On the left, a smart phone sends a green, unencrypted it to read “Hello.” Unlike transport-layer encryption, your ISP
message: “Hello.” That message is encrypted, and then passed or messaging host is not able to decrypt the message. Only
along to a cellphone tower and then to the app/service’s the endpoints (the original devices sending and receiving
servers, which cannot read the contents, but will pass the encrypted messages) have the keys to decrypt and read the
secret message along to its destination. At the end, the other message.
Securing Accounts
and Devices
WHAT TYPE OF ENCRYPTION WHAT END-TO-END

DO WE NEED? ENCRYPTED MESSAGING
When deciding whether your organization needs transport-layer TOOLS SHOULD WE USE (AS
encryption or end-to-end encryption for your communications
(or some combination of the two for different systems and
OF 2022)?
activities), the big questions you should ask involve trust. For
instance, do you trust the app or service you are using? Do If you need to use end-to-end encryption, or just want to
you trust its technical infrastructure? Are you concerned about adopt the best practice regardless of your organization’s threat
the possibility that an unfriendly government could force the context, here are some trusted examples of services that, as
company to hand over your messages – and if so, do you trust of 2022, offer end-to-end encrypted messaging and calls. This
the company’s policies to protect against law enforcement section of the Handbook will be regularly updated online, but
requests? please note that things change quickly in the world of secure
If you answer “no” to any of these questions, then you need end- messaging, so these recommendations may not be up to date
to-end encryption. If you answer “yes” to them, then a service at the time you are reading this section. Keep in mind that your
that supports only transport-layer encryption may suffice - but it communications are only as secure as your device itself. So in
is generally better to go with services that support end-to-end addition to adopting secure messaging practices, it is essential
encryption when possible. to implement the best practices described in the Secure Devices
section of this Handbook.
When messaging with groups, keep in mind that the security
of your messages is only as good as the security of everyone
receiving the messages. In addition to carefully choosing secure
apps and systems, it is important that everyone in the group
follows other best practices regarding account security and
device security. All it takes is one bad actor or one infected
device to leak the contents of an entire group chat or call.
Recommended End-to-End Encrypted Communications Tools
TEXT MESSAGING • Signal

(INDIVIDUAL OR • WhatsApp (only with specific setting configurations detailed
GROUP) below)
AUDIO AND VIDEO • Signal (up to 40 people)

CALLS • WhatsApp (up to 32 people on audio, eight on video)
• Signal
FILE SHARING • Keybase / Keybase Teams
• OnionShare + an end-to-end encrypted messaging app like
Signal

Securing Accounts
and Devices
WHAT IS METADATA AND

SHOULD WE BE CONCERNED
ABOUT IT?
Who you and your staff talk to and when and where you talk
to them can often be just as sensitive as what you talk about.
It is important to remember that end-to-end encryption only
protects the contents (the “what”) of your communications.
This is where metadata comes into play. EFF’s Surveillance
Self-Defense Guide provides an overview of metadata and why
it matters to organizations (including an illustration of what
metadata looks like):
Metadata is often described as everything except the content

of your communications. You can think of metadata as the
digital equivalent of an envelope. Just like an envelope contains
information about the sender, receiver, and destination of a
message, so does metadata. Metadata is information about the
digital communications you send and receive.
Some examples of metadata include:

• who you are communicating with
• the subject line of your emails
• the length of your conversations
• the time at which a conversation took place
• your location when communicating
Even a tiny sample of metadata can provide an intimate lens into your organization’s activities. Let us take a look at how revealing
metadata can actually be to the hackers, government agencies, and companies that collect it:
They know you called a They know multiple staff They know you got an email They know you received an
journalist and spoke with within your organization from a COVID testing service, email from a local human
them for an hour before that messaged a prominent local then called your doctor, then rights advocacy group with
journalist published a story digital security trainer. But visited the World Health the subject line “Tell the
with an anonymous quote. the topic of the messages Organization’s website in the Government: Stop Abusing
However, they do not know remains a secret. same hour. However, they do your Power”. But the content
what you talked about. not know what was in the of the email is invisible to
email or what you talked them.
about on the phone.
Securing Accounts
and Devices
Metadata is not protected by the encryption provided by most staff, you can enforce best practices like strong passwords and
message services. If you are sending a message on WhatsApp, 2FA on any accounts your organization manages. If, according
for example, keep in mind that while the contents of your to your analysis above, end-to-end encryption is necessary
message are end-to-end encrypted, it is still possible for others for your email, both Protonmail and Tutanota offer plans for
to know who you are messaging, how frequently, and, with organizations. If transport-layer encryption is adequate for your
phone calls, for how long. As a result, you should keep in mind organization’s email, options like Google Workspace (Gmail) or
what risks exist (if any) if certain adversaries are able to find Microsoft 365 (Outlook) can be useful.
out who your organization talks to, when you talked to them,
and (in the case of email) the general subject lines of your
organization’s communications. CAN WE REALLY TRUST
One of the reasons that Signal is so highly recommended is WHATSAPP?
that, in addition to providing end-to-end encryption, it has
introduced features and made commitments to reduce the WhatsApp is a popular choice for secure messaging, and can be
amount of metadata that it records and stores. For instance, a good option given its ubiquity. Some people are concerned
Signal’s Sealed Sender feature encrypts the metadata about that it is owned and controlled by Facebook, which has been
who is talking to whom, so that Signal only knows the recipient working to integrate it with its other systems. People are also
of a message but not the sender. By default this feature only concerned about the amount of metadata (i.e. information
works when communicating with existing contacts or profiles about with whom you communicate and when) that WhatsApp
(people) with whom you have already communicated or whom collects. If you choose to use WhatsApp as a secure messaging
you have stored in your contacts list. However you can enable option, be sure to read the above section on metadata. There
this “Sealed Sender” setting to “Allow from anyone” if it is are also a few settings that you need to ensure are properly
important for you to eliminate such metadata across all Signal configured. Most critically, be sure to turn off cloud backups,
conversations, even those with people unknown to you. or, at the very least, enable WhatsApp’s new end-to-end
encrypted backups feature using a 64 digit encryption key or
long, random, and unique passcode saved in a secure place
WHAT ABOUT EMAIL? (like your password manager). Also be sure to show security
notifications and verify security codes. You can find simple
Most email providers, for example Gmail, Microsoft Outlook, and how-to guides for configuring these settings for Android phones
Yahoo Mail, employ transport-layer encryption. So if you must here and iPhones here. If your staff *and those with whom you
communicate sensitive content using email and are worried all communicate* do not properly configure these options, then
that your email provider could be legally required to provide you should not consider WhatsApp to be a good option for
information about your communications to a government or sensitive communications that require end-to-end encryption.
another adversary, you may want to consider using an end-to- Signal still remains the best option for such end-to-end
end encrypted email option. Keep in mind, however, that even encrypted messaging needs given its secure default settings
end-to-end encrypted email options leave something to be and protection of metadata.
desired from a security perspective, for example, not encrypting
subject lines of emails and not protecting metadata. If you need
to communicate particularly sensitive information, email is not WHAT ABOUT TEXTING?
the best option. Instead opt for secure messaging options like
Signal. Basic text messages are highly insecure (standard SMS is
effectively unencrypted), and should be avoided for anything
If your organization does continue to use email, it is critical that is not meant for public knowledge. While Apple’s iPhone-
to adopt an organization-wide system. This helps you limit to-iPhone messages (known as iMessages) are end-to-end
the common risks that arise when staff use personal email encrypted, if a non-iPhone is in the conversation the messages
addresses for their work, such as poor account security practices. are not secured. It is best to be safe and avoid text messages for
For example, by providing organization-issued email accounts to anything remotely sensitive, private, or confidential.

Securing Accounts
and Devices
Luckily, end-to-end encrypted apps like Signal are becoming

WHY AREN’T TELEGRAM, increasingly popular and user-friendly - not to mention that
they have been localized in dozens of languages for global
FACEBOOK MESSENGER, OR use. If your partners or other contacts need help switching
communications over to an end-to-end encrypted option
VIBER RECOMMENDED FOR like Signal, take some time to talk them through why it is so
important to properly protect your communications. When
SECURE CHATS? everyoneunderstands the importance, the few minutes required
to download a new app and the couple of days it might take to
Some services, like Facebook Messenger and Telegram, only get used to using it will not seem like a big deal.
offer end-to-end encryption if you deliberately turn it on (and
only for one-to-one chats), so they are not good options for
sensitive or private messaging, especially for an organization. ARE THERE OTHER
Do not rely on these tools if you need to use end-to-end
encryption, because it is quite easy to forget to change away SETTINGS FOR END-TO-END
from the default, less secure settings. Viber claims to offer
end-to-end encryption, but has not made its code available ENCRYPTED APPS THAT WE
for review to outside security researchers. Telegram’s code has
also not been made available for a public audit. As a result, SHOULD BE AWARE OF?
many experts fear that Viber’s encryption (or Telegram’s “secret
chats”) may be substandard and therefore not suitable for In the Signal app, verifying security codes (which they refer to
communications that require true end-to-end encryption. as Safety Numbers) is also important. To view a safety number
and verify it in Signal, you can open up your chat with a contact,
tap their name at the top of your screen, and scroll down to
OUR CONTACTS AND tap “View Safety Number.” If your safety number matches with
your contact, you can mark them as “verified” from that same
COLLEAGUES ARE USING screen. It is especially important to pay attention to these safety
numbers and to verify your contacts if you receive a notification
OTHER MESSAGING APPS in a chat that your safety number with a given contact has
changed. If you or other staff need help configuring these
- HOW CAN WE CONVINCE settings, Signal itself provides helpful instructions. If using
THEM TO DOWNLOAD A NEW Signal, which is widely considered to be the best user-friendly
option for secure messaging and one-to-one calls, be sure to set
APP TO COMMUNICATE WITH a strong pin. Use at least six digits, and not something easy-
to-guess like your birth date. For more tips on how to properly
US? configure Signal and WhatsApp, you can check out the tool
guides for both developed by EFF in their Surveillance Self-
Defense Guide.
Sometimes there is a tradeoff between security and
convenience, but a little extra effort is worth it for sensitive
communications. Set a good example for your contacts. If you
have to use other less secure systems, be very conscious of
what you are saying. Avoid discussion of sensitive topics. For
some organizations, they may use one system for general
chatting and another with leadership for the most confidential
discussions. Of course, it is simplest if everything is just
automatically encrypted all the time - nothing to remember or
think about.
Securing Accounts
and Devices
Using Chat Apps in the Real World

To limit the damage in case a phone is lost, stolen, or With that said, if your organization is concerned about
confiscated, it is best practice to minimize the history of the safety of staff as a result of communications that
messages that are saved on your phone. One easy way might be seen on their phones, then using disappearing
to do this is to turn on “disappearing messages” for your messages with short timers is likely the simplest and
organization’s group chats, and to encourage staff to do most sustainable option.
so on their personal chats as well.
In Signal and other popular messaging applications,

you can set a timer for messages to disappear a certain
number of minutes or hours after being read. This setting
can be customized based upon the individual chat or
group. For most of us, setting a disappearing window
to one week gives you plenty of time to look things up
while not preserving messages that you will never need
– but which could potentially be used against you in
the future. Remember, what you do not have cannot be
stolen.
To turn on disappearing messages in Signal, open up a

chat, tap the name of the person/group you are chatting
with, tap disappearing messages, choose a timer and tap
ok. A similar setting exists in WhatsApp.
In more serious situations where there is a need

to immediately delete a message, perhaps because
someone’s phone has been stolen or you have sent a
message to the wrong person, note that Signal allows
you to delete a message to a group or an individual from
everyone’s phone within three hours of sending it just
by deleting it from your chat. Telegram remains popular
in many countries despite its encryption limitations for
a similar feature that allows users to delete messages
across devices without restrictions.

Securing Accounts
and Devices
end-to-end encrypted. If using Webex for secure group meetings

WHAT ABOUT LARGER GROUP and workshops, be sure to also enable strong passcodes on your
calls.
VIDEO CALLS? ARE THERE
After months of negative press, Zoom developed an end-to-
END-TO-END ENCRYPTED end encryption option for its calls. However, that option is not
turned on by default, requires that the call host associate their
OPTIONS? account with a phone number, and only works if all participants
join via the Zoom desktop or mobile app instead of dialing in.
With the increase in remote work, it is important to have a Because it is easy to accidentally misconfigure these settings, it
secure option for your organization’s large group video calls. is not ideal to rely on Zoom as an end-to-end encrypted option.
Unfortunately, no great options currently exist that check all the However, if end-to-end encryption is required and Zoom is your
boxes: user-friendly, support large numbers of attendees and only option, you can follow Zoom’s instructions to configure
collaboration features, and enable end-to-end encryption by it. Just be sure to check any call before it starts to ensure it is
default. indeed end-to-end encrypted by clicking the green lock in the
upper left-hand corner of the Zoom screen and seeing “end-to-
For groups of up to 40 people, Signal is a highly recommended end” listed next to the encryption setting. You should also set a
end-to-end encrypted option. Group video calls on Signal can strong passcode for any Zoom meeting.
be joined either from a smartphone or the Signal desktop app
on a computer, which allows for screen sharing. Keep in mind, In addition to the tools mentioned above, this flow-chart
however, that only your contacts who already use Signal can be developed by Frontline Defenders highlights some video
added to a Signal group. call and conferencing options that, depending upon your risk
context, might make sense for your organization.
If you are looking for other options, one platform that recently
added an end-to-end encrypted setting is Jitsi Meet. Jitsi Meet It is worth noting, however, that certain popular features of
is a web-based audio and video conferencing solution that can the above tools only work with transport-layer encryption. For
work for large audiences (up to 100 people) and requires no app example, turning on end-to-end encryption in Zoom disables
download or special software. Note that if you use this feature breakout rooms, polling capabilities, and cloud recording. In Jitsi
with large groups (more than 15-20 people) the call quality Meet, breakout rooms can disable the end-to-end encryption
may decrease. To set up a meeting on Jitsi Meet, you can go to feature, leading to an unwitting decrease in security.
meet.jit.si, type in a meeting code and share that link (via a
secure channel such as Signal) with your desired participants.
To use end-to-end encryption, take a look at these instructions
outlined by Jitsi. Note that all individual users will need to
enable end-to-end encryption themselves in order for it to work.
When using Jitsi, be sure to create random meeting room names
and to use strong passcodes to protect your calls.
If this option does not work for your organization, you can
consider using a popular commercial option like Webex or Zoom
with end-to-end encryption enabled. Webex has long allowed
for end-to-end encryption; however, this option is not turned
on by default and requires participants to download Webex
to join your meeting. To get the end-to-end encrypted option
for your Webex account you must open a Webex support case
and follow these instructions to ensure end-to-end encryption
is configured. Only the host of the meeting needs to enable
end-to-end encryption. If they do so, the entire meeting will be
Securing Accounts
and Devices
If end-to-end encryption is not needed for all of your

WHAT IF WE REALLY DO organization’s communications based upon your risk
assessment, you can consider using applications protected by
NOT NEED END-TO-END transport-layer encryption. Remember, this type of encryption
requires that you trust the service provider, such as Google
ENCRYPTION FOR ALL OUR for Gmail, Microsoft for Outlook/Exchange, or Facebook for
Messenger, because they (and anyone they might be compelled
COMMUNICATIONS? to share information with) can see/hear your communications.
Once again, the best options will depend upon your threat
model (for example, if you do not trust Google or if the U.S.
government is your adversary, then Gmail is not a good option),
but a few popular and generally trusted options include:
• Gmail (via Google Workspace)

• Outlook (via Office 365)
EMAIL • Do not host your own Microsoft Exchange server for
your organization’s email. If you are currently doing so,
you should migrate to Office 365.
• Google Hangouts
• Slack
• Microsoft Teams
TEXT MESSAGING • Mattermost
(INDIVIDUAL OR GROUP) • Line
• KaKao Talk
• Telegram
• Jitsi Meet
• Google Meet
GROUP CONFERENCING, • Microsoft Teams
AUDIO AND VIDEO • Webex
CALLS • GotoMeeting
• Zoom
• Google Drive
• Microsoft Sharepoint
FILE SHARING • Dropbox
• Slack
• Microsoft Teams

Securing Accounts
and Devices
option for your organization. Just be sure to configure sharing

A NOTE ABOUT FILE SHARING settings properly so that only the appropriate people have
access to a given document or folder, and ensure that these
In addition to securely sharing messages, sharing files safely services are connected to staff’s organizational (not personal)
is likely an important part of your organization’s security email accounts. If you can, prohibit sharing sensitive files via
plan. Most file-sharing options are built-in to messaging email attachments or physically with USBs. Using devices like
applications or services that you might already be using. For USBs within your organization greatly increases the likelihood
instance, sharing files via Signal is a great option if end-to-end of malware or theft and relying on email or other forms of
encryption is needed. If transport-layer encryption is enough, attachments weakens your organization’s defenses against
using Google Drive or Microsoft SharePoint might be a good phishing attacks.
Organizational Alternatives for File Sharing
If you are looking for a secure file sharing option for the Handbook, but for the purposes of file sharing within
your organization that is not directly embedded in a your organization, keep OnionShare in mind as a safer
messaging platform (or perhaps you are running into alternative to sharing large files on USBs around the
file size limits when sharing large documents), consider office if you do not have a trusted Cloud provider option.
OnionShare. OnionShare is an open source tool that
allows you to securely and anonymously share a file of If your organization is already investing in a password
any size. It works by having the sender download the manager, as described in this Handbook’s section
OnionShare app (available on Mac, Windows and Linux on passwords, and chooses Bitwarden’s premium or
computers), uploading the file(s) they wish to share, and teams account, the Bitwarden Send feature is another
generating a unique link. This link, which can only be option for secure file sharing. This feature allows users
processed in Tor Browser, can then be shared via any to create secure links to share encrypted files via any
secure messaging channel (Signal, for instance) to the secure messaging channel (such as Signal). File size is
intended recipient. The recipient can then open the limited to 100MB, but Bitwarden Send allows you to set
link in Tor Browser and download the file(s) to their an expiration date on links, password protect access to
computer. Keep in mind, the files are only as secure as shared files, and limit the number of times that your link
the method through which you share the link. Tor will be can be opened.
explained in more detail in a later “advanced” section of
Securing Accounts
and Devices
Communicating and Sharing Data Securely
o Require the use of trusted end-to-end encrypted messaging services for your
organization’s sensitive communications (and ideally for all communications.)
• Take time to explain to staff and external partners why secure communications are
so important; this will enhance the success of your plan.
o Set a policy on how long you will retain messages and when/if the organization will
use “disappearing” communications.
o Ensure proper settings are in place for secure communications apps, including:
• Ensure all staff are paying attention to security notifications and, if using
WhatsApp, not backing up chats.
• If using an app where end-to-end encryption is not enabled by default (e.g. Zoom
or Webex), ensure the required users have turned on the proper settings at the
outset of any call or meeting.
o Use cloud-based email services such as Office 365 or Gmail for your organization.
• Do not attempt to host your own email server.
• Do not allow staff to use personal email accounts for work.
o Frequently remind the organization about security best practices related to group
messaging and metadata.
• Be aware of who is included in group messages,chats, and email threads.

Securing Accounts
and Devices
Storing Data Securely
For most civil society organizations, one of the local servers. While it is possible to secure data on all these
devices, it is very hard to do so successfully without spending a
most important decisions to make is where to lot of money and hiring significant IT staff.
store their data.
When selecting a tool or service to store your data, ensure you
Is it “more secure” to store data on staff computers, on a local trust the company or group behind it. A quick google search
server, on external storage devices, or in the cloud? In 99 and checking with digital security experts can go a long way
percent of situations, the easiest and most secure option is to in helping you verify the trustworthiness of a potential tech
keep data stored in trusted cloud storage services. Perhaps the vendor. Some questions to keep in mind include: Do they sell
most common examples include Microsoft 365 and Google or share your private data? Do they have appropriate security
Drive. Without a comprehensive cloud storage plan, it is likely resources on staff? Do they offer security features (like 2FA) to
that your organization’s data is stored in a variety of places - help you protect your account?
including staff computers, external hard drives, and even a few
Data Storage and Civil Society
The advent of affordable (sometimes free) cloud-based the hackers to gain access to organizational email
data storage has made life easier (and more secure) accounts, install additional malware on the victim’s
for many resource-limited civil society organizations. servers and connected systems, and ultimately extract
Unfortunately, many still attempt to host their own sensitive data. While Microsoft quickly published
servers with relatively limited IT budget, staffing, and an update and instructions to identify and remove
support. In March 2021, the threat of such organizational potential intruders, once the hacks became public,
infrastructure became real for tens of thousands many organizations lacked the IT capacity to quickly
of organizations across the world when a Chinese apply such updates, leaving them exposed for extended
government-affiliated threat actor, called Hafnium, periods of time. The scope and impact of this global hack
unleashed a global cybersecurity catastrophe with a reveals the danger of civic organizations choosing to
sophisticated attack on self-hosted Microsoft Exchange self-host email servers and other types of sensitive data.,
servers. The attack compromised local servers, enabling particularly without significant investment in dedicated
cybersecurity staff.
Securing Accounts
and Devices
that you are not “oversharing” any files (such as by turning on

BENEFITS OF CLOUD STORAGE universal link sharing for files that should instead be limited to
just a few people.)
Even if you take all the right steps to protect your computers
against malware and physical theft, it is still possible for a
determined adversary to hack into your computer or local server. WHAT IF WE DO NOT TRUST
It is much harder for them to defeat the security defenses of, for
example, Google or Microsoft. Good cloud storage companies GOOGLE OR MICROSOFT OR
have unparalleled security resources and have a strong business
incentive to provide maximum security to their users. In short: a OTHER CLOUD STORAGE
trusted cloud storage strategy will be much easier to implement
and keep secure over time. So instead of worrying about trying PROVIDERS?
to secure your own server, you can focus your energy on a
handful of simpler tasks. Keeping the bulk of your information If one of your adversaries (for instance, a foreign or local
in the cloud helps with a range of common risks. Was someone’s government) can legally force Google or Microsoft (or another
computer left in a restaurant or their phone on the bus? Did cloud storage provider) to hand over data, then it might not
your child tip a glass of juice onto your keyboard, leaving your make sense to choose them as data storage options. This
device inoperable? Does a staffer have malware and need to risk might be higher if your adversary is the United States
erase their computer and start fresh? If most documents and government, for example, but much lower if your adversary is an
data are in the cloud, it is easy to re-synchronize and start fresh authoritarian regime. Keep in mind that Google and Microsoft
on a cleaned or entirely new computer. Also if malware gets into both have policies about only handing over data when legally
a computer or if a thief scans a hard drive, there is nothing to obligated to do so, and recognize that your organization could
steal if most documents are accessed through the web browser. itself be vulnerable to the same sort of legal demands from
your own government if hosting data locally. In situations where
Google or Microsoft cloud storage do not make sense for your
organization, an alternative option to consider is Keybase. The
WHAT CLOUD STORAGE “teams” feature in Keybase allows your organization to share
files, and messages, using end-to-end encryption in a secure
PROVIDER SHOULD WE cloud environment without having to rely on a third-party
provider. As a result, it can be a good option for securely storing
CHOOSE? documents and files across your organization. However, Keybase
is less familiar to most users, so be aware that adoption of
The two most popular cloud storage options are Google this tool is likely to take more training and effort than other
Workspace (formerly known as GSuite) and Microsoft 365. If you aforementioned solutions. With that said, if you do opt to go
and your staff already use Gmail, signing up your organization it alone and not use cloud storage altogether, it is crucial that
for Google Workspace and storing data in Google Drive with you invest time and resources into strengthening the digital
its built-in Google Docs, Sheets, and Slides apps for word defenses of your organization’s devices, and ensuring any local
processing, spreadsheets, and presentations make a lot of sense. servers are properly configured, encrypted, and kept physically
Similarly, if you are an organization reliant on Excel and Word, safe. You may save on monthly subscription fees, but it will cost
the easy choice is to sign up for Microsoft 365, which gives your your organization in staff time and resources, and in being far
organization access to Outlook for email and licensed versions more vulnerable to attack.
of Microsoft Word, Excel, Powerpoint, and Teams. Regardless of
which provider you choose, storing data securely in the cloud
requires implementing good sharing settings and training staff BACKING UP DATA
to understand how and when to share (and not share) folders
and documents. In general, you should set up folders within Whether your organization stores data on physical devices or in
your cloud storage drive that limit access to only the staff that the cloud, it is important to have a backup. Keep in mind that
need it for given files. Routinely audit your system to make sure if you rely on physical device storage, it is quite easy to lose

Securing Accounts
and Devices
access to your data. You could spill coffee on your computer how a cloud storage solution can comply with any local
and destroy the hard drive. Staff computers could be hacked requirements. Many cloud storage providers, including Google
and all local files locked with ransomware. Someone could and Microsoft, now offer options that allow some customers to
lose a device on the train or have it stolen along with their choose the geographic location of their data in the cloud, for
briefcase. As mentioned above, this is another reason why example.
using cloud storage can be a benefit, because it is not tied to a
specific device that can be infected, lost, or stolen. Macs come
with built-in backup software called Time Machine which is
used together with an external storage device; for Windows Enhancing the Security
devices, File History offers similar functionality. iPhones and
Androids can automatically back up their most important of Organizational Cloud
contents to the cloud if enabled under your phone’s settings.
If your organization is using cloud storage (like Google Drive) Accounts
the risk of Google being taken down or your data destroyed
in a disaster is quite low, but human error (like accidentally If your organization chooses to set up a domain in
deleting important files) is still a possibility. Exploring a cloud Google Workspace or Microsoft 365, be aware that
backup solution like Backupify or SpinOne Backup may be both companies offer higher levels of security (for
worthwhile. If data is stored on a local server and/or local free in many cases) to civil society organizations.
devices, a secure backup becomes even more critical. You can Google’s Advanced Protection Program and
backup your organization’s data to an external hard drive, but Microsoft’s AccountGuard provide even more
be sure to encrypt that hard drive with a strong password. robust security to all of your organization’s
Time Machine can encrypt hard drives for you, or you can use cloud accounts, and help you greatly reduce the
trusted encryption tools for the whole hard drive like VeraCrypt likelihood of effective phishing and account
or BitLocker. Be sure to keep any backup devices in a separate compromise. If you believe that your organization
location from your other devices and files. Remember, a fire that qualifies and are interested in enrolling your
destroys both your computers and their backups means you organization in either plan, visit the websites
do not have backups at all. Consider keeping a copy in a very linked above or contact cyberhandbook@ndi.org
secure location, such as a safe deposit box. for further assistance.
Note: if using a cloud provider in a country with specific data

localization laws, check with legal experts to better understand
Storing Data Securely
o Store sensitive data exclusively in a trusted cloud storage service.

• Ensure any connected accounts used to access such a service have strong
passwords and 2FA.
o Set and enforce a policy to limit sharing settings within the cloud.
• Train all staff on how to properly share (and not overshare) documents.
o If your organization opts to store data locally, invest in skilled IT staff.
o Keep data backups secure - encrypt backup hard drives or other backup devices.
Staying Safe on
the Internet
Securing Accounts
and Devices
53
Securing Accounts
and Devices
When using the internet on your phone or It is important to keep sensitive information – like usernames
and passwords that you type into a website, your social media
computer, your activity can say quite a bit about posts, or in certain contexts even the names of the websites
you and your organization. that you visit – out of the view of prying eyes. Having your
access to certain sites or apps blocked or restricted is also a
common concern. These two problems – internet surveillance
and internet censorship – go hand in hand, and the strategies to
reduce their impacts are similar.
Browsing Securely
USING HTTPS
The most important step to limiting an adversary’s ability to numbers, or messages), and the details of the site and pages
surveil your organization online is to minimize the amount you are visiting are all exposed. This means that (1) any hackers
of information available about you and your colleagues’ on your network, (2) your network administrator, (3) your ISP
internet activity. Always make sure you are connecting to and any entity they might share data with (like governmental
websites securely: make sure the URL (location) starts with authorities), (4) the ISP of the site you are visiting and any
“https’’ and shows a small lock icon in the address bar of your entity they might share data with, and of course (5) the site you
browser. When you browse the internet without encryption, are visiting itself all have access to quite a bit of potentially
the information you type into a site (like passwords, account sensitive information.
Securing Accounts
and Devices
Surveillance, Censorship, and Civil Society
Governments are increasingly using their influence actors across the globe are using increasingly accessible
and authority over internet service providers and other surveillance technology to monitor the activity of
local internet infrastructure to prevent individuals and citizens online. For instance, according to Freedom
civil society groups from accessing information on House’s Freedom on the Net 2020 report, the Ugandan
the internet. In some cases, such internet disruptions government partnered with the Chinese tech company
are aimed at taking down key communications and Huawei to surveil opposition figures and civic activists in
information sharing platforms including social media the run up to and aftermath of a contentious presidential
and news sites. For instance, in response to protests election in the country.
resulting from a military coup, the Myanmar military
directed mobile operators to temporarily shut down The increasing frequency of such attacks on access to
the entire mobile data network in the country. This and freedom of information online highlight just how
came shortly after more targeted blocking of Facebook, essential it is for civil society groups to understand the
Twitter, and Instagram. In addition to blocking internet risks of operating on the internet and develop plans for
access and websites, governments and other threat how to connect when connectivity is impacted.

Securing Accounts
and Devices
Let’s take a real-world example of what browsing without encryption looks like:
Adapted from the Totem Project’s How the Internet Works (CC–BY–NC–SA)
When browsing without encryption, all of your data is exposed. As shown above, an adversary can see where you are, that you are
going to news.com, looking specifically at the page on protests in your country, and see your password that you share to log in to the
site itself. Such information in the wrong hands not only exposes your account but also gives potential adversaries a good idea of
what you might be doing or thinking about.
Securing Accounts
and Devices
Using HTTPS (the “s” stands for secure) means that encryption is in place. This offers you much more protection.
Let’s take a look at what browsing with HTTPS (aka with encryption) looks like:

Securing Accounts
and Devices
With HTTPS in place, a potential adversary can no longer see ensure you are using HTTPS at all times, or if you use Firefox,
your password or other sensitive information that you might turn on HTTPS only mode in the browser.
share to a website. They can, however, still see what domains If you are presented with a warning from your browser that
(for example, news.com) you are visiting. And while HTTPS also a website might be insecure, do not ignore it. Something
encrypts information about the individual pages within a site is wrong. It might be benign – like the site has an expired
(for example, website.com/protests) that you visit, sophisticated security certificate – or the site might be maliciously spoofed
adversaries can still see this information by inspecting your or faked. Either way, it is important to heed the warning and
internet traffic. With HTTPS in place, an adversary might know not proceed to the site. HTTPS is essential and encrypted DNS
that you are going to news.com, but they would not be able provides some extra protection against snooping and site
to see your password, and it would be more difficult (but not blocking, but if your organization is concerned about highly
impossible) for them to see that you are looking up information targeted surveillance regarding your online activities and faces
about protests (to use this one example). That is an important sophisticated censorship online (such as websites and apps
difference. Always check that HTTPS is in place before being blocked), you might want to use a trusted virtual private
navigating through a website or entering sensitive information. network (VPN).
You can also use the HTTPS Everywhere browser extension to
Using Encrypted DNS
If you want to make it more difficult (but not impossible) default. Users of Chrome or Edge browsers can turn on
for an ISP to know the details of the websites that you encrypted DNS through the browser’s advanced security
visit, you can use encrypted DNS. settings by turning on “use secure DNS” and selecting
“With: Cloudflare (1.1.1.1)” or the provider of their choice.
If you are wondering, DNS stands for Domain Name
System. It is essentially the phonebook of the internet, Cloudflare’s 1.1.1.1 with WARP encrypts your DNS and
translating human-friendly domain names (like ndi.org) encrypts your browsing data - providing a service similar
to web-friendly internet protocol (IP) addresses. This to a traditional VPN. While WARP does not fully protect
allows people to use web browsers to easily look up and your location from all websites that you visit, it is an
load internet resources and visit websites. By default easy-to-use feature that can help your organization’s
though, DNS is not encrypted. staff take advantage of encrypted DNS and additional
protection from your ISP in situations where a full VPN
To use encrypted DNS and add a bit of protection to is either not functional or required given the threat
your internet traffic at the same time, one easy option context. In the 1.1.1.1 with WARP advanced DNS settings,
is to download and turn on Cloudflare’s 1.1.1.1 app staff can also turn on 1.1.1.1 for Families to provide
on your computer and mobile device. Other encrypted additional protection against malware while accessing
DNS options, including Google’s 8.8.8.8, are available the internet.
but require more technical steps to configure. If you
use Firefox browser, encrypted DNS is now turned on by
Securing Accounts
and Devices
WHAT IS A VPN?
A VPN is essentially a tunnel that protects against the surveillance and blocking of your internet traffic from hackers on your
network, your network administrator, your ISP, and anyone they might share data with. It is still essential to use HTTPS and to ensure
that you trust the VPN that your organization uses. Here is an example of what browsing with a VPN looks like:

Securing Accounts
and Devices
To describe VPNs in more depth, this section references EFF’s Why should you not just use a free VPN? The short answer is
Surveillance Self-Defense Guide: that most free VPNs, including those that come pre-installed on
some smartphones, come with a big catch. Like all businesses
Traditional VPNs are designed to disguise your actual network and service providers, VPNs have to sustain themselves
IP address and create an encrypted tunnel for the internet somehow. If the VPN does not sell its service, how is it keeping
traffic between your computer (or phone or any networked its business afloat? Does it solicit donations? Does it charge for
“smart” device) and the VPN’s server. Because traffic in the premium services? Is it supported by charitable organizations
tunnel is encrypted and sent to your VPN, it is much harder for or funders? Unfortunately, many free VPNs make their money by
third parties like ISPs or hackers on public Wi-Fi to monitor, collecting and then selling your data.
modify, or block your traffic. After going through the tunnel from
you to the VPN, your traffic then leaves the VPN to its ultimate A VPN provider that does not collect data in the first place is
destination, masking your original IP address. This helps to the best choice. If the data is not collected, it cannot be sold
disguise your physical location for anyone looking at traffic or handed over to a government if requested. When looking
after it leaves the VPN. This offers you more privacy and security, through a VPN provider’s privacy policy, see whether the VPN
but using a VPN does not make you completely anonymous actually collects user data. If it does not explicitly state that
online: your traffic is still visible to the operator of the VPN. Your user connection data is not being logged, chances are that it is.
ISP will also know that you are using a VPN, which might raise Even if a company claims not to log connection data, this may
your risk profile. not always be a guarantee of good behavior.
This means that choosing a trustworthy VPN provider is It is worthwhile to do a search on the company behind the
essential. In some places like Iran, hostile governments have VPN. Is it endorsed by independent security professionals?
actually set up their own VPNs to be able to track what citizens Does the VPN have news articles written about it? Has it ever
are doing. To find the VPN that is right for your organization and been caught misleading or lying to its customers? If the VPN
its staff, you can evaluate VPNs based on their business model was established by people known in the information security
and reputation, what data they do or do not collect, and of community, it is more likely to be trustworthy. Be skeptical
course the security of the tool itself. of a VPN offering a service that no one wants to stake their
reputation on, or one that is run by a company that no one
knows about.
Fake VPNs in the Real World

In late 2017, following a surge in protests in the country, locally. Unfortunately the fake application was nothing
Iranians started discovering a “free” (but fake) version more than malware that allowed authorities to track the
of a popular VPN being shared via text messages. The movement and monitor the communications of those
free VPN, which did not actually work, promised to grant who downloaded it.
access to Telegram, which at that time was blocked
Securing Accounts
and Devices
So what VPN should we use?
If using a VPN makes sense for your organization, a couple Although most modern VPNs have improved in regard to
of trustworthy options include TunnelBear and ProtonVPN. performance and speed, it is worth keeping in mind that using a
Another option is to configure your own server using Jigsaw’s VPN might slow down your browsing speed if you are on a very
Outline, where there is not a company managing your account, low-bandwidth network, suffer from high latency or network
but in return you have to set up your own server. If your delays, or experience intermittent internet outages. If you are on
organization is a bit larger, you may want to consider a business a faster network, you should default to using a VPN all the time.
VPN that provides account management features such as
TunnelBear’s Teams plan. For certain qualifying organizations in If you do recommend that staff use a VPN, it is also important
the civil society and human rights space, TunnelBear provides to ensure that people keep the VPN turned on. It might sound
credits for free use of their VPN (which usually costs about obvious, but a VPN that is installed but not running does not
$3 per month). If you believe that your organization qualifies provide any protection.
and are interested, contact cyberhandbook@ndi.org for more
information.
Anonymity through Tor
In addition to VPNs, you may have heard of Tor as browser. It operates like any normal browser except
another tool for more securely using the internet. It is that it routes your traffic through the Tor network. You
important to understand what both are, why you might can download the Tor browser on Windows, Mac, Linux
use one or the other, and how both might impact your or Android devices. Keep in mind that when using Tor
organization. Browser, you are only protecting the information you
access while in the browser. It does not provide any
Tor is a protocol for transmitting data anonymously protection to other apps or downloaded files that you
over the internet by routing messages or data through might open separately on your device. Also keep in mind
a decentralized network. You can learn more about how that Tor does not encrypt your traffic, so - much like when
Tor works here, but in short, it routes your traffic through using a VPN - it is still essential to use best practices like
multiple points along the way to its destination so that HTTPS when browsing.
no single point has enough information to expose who
you are and what you are doing online at once. If you would like to extend the anonymity protections
of Tor to your entire computer, more tech savvy users
Tor is different from a VPN in a few ways. Most can install Tor as a systemwide internet connection, or
fundamentally, it differs because it does not rely on trust consider using the Tails operating system, which routes
of any one specific point (like a VPN provider). all traffic through Tor by default. Android users can also
use the Orbot app to run Tor for all internet traffic and
This graphic, developed by EFF, shows the difference apps on their device. Regardless of how you use Tor, it
between a traditional VPN and Tor. is important to know that when using it, your internet
service provider cannot see what websites you are
The easiest way to use Tor is through the Tor web visiting but they *can* see that you are using Tor itself.

Securing Accounts
and Devices
Much like when using a VPN, this could raise the risk that is properly used by all staff at all times is easiest,
profile of your organization considerably, because Tor most convenient, and in the age of greater VPN usage
is not a very common tool and therefore stands out to globally, less likely to raise red flags. However if you
adversaries that may be monitoring your internet traffic. either cannot afford a trustworthy VPN or operate in
an environment where VPNs are routinely blocked, Tor
So, should your organization use Tor? The answer: it can be a good option, if legal, for limiting the impact of
depends. For most at-risk organizations a trusted VPN surveillance and avoiding censorship online.
you are connected to Tor or a VPN. If that is illegal where your

Are there any reasons we should not use
organization operates or might cause more attention or risk
a VPN or Tor? than simply navigating the web with standard HTTPS and
encrypted DNS, perhaps a VPN or especially Tor (which is much
Apart from concerns around non-reputable VPN services, less commonly used and therefore a bigger “red flag”) is not the
the biggest thing to consider is whether using a VPN or Tor right choice for your organization. However, as VPN use becomes
might attract unwanted attention or, in some jurisdictions, be more common, this is less of a distinguishing factor. Defaulting
against the law. Although your ISP will not know what sites to having a VPN on all the time is the best choice if legal and
you are visiting while using these services, they can see that possible.
Securing Accounts
and Devices
browser features, check out this resource from the Freedom of

WHAT BROWSER SHOULD WE the Press Foundation. Regardless of browser, it is also a good
idea to use an extension or add-on like Privacy Badger, uBlock
BE USING? Origin, or DuckDuckGo’s Privacy Essentials that stops advertisers
and other third-party trackers from tracking where you go and
Use a reputable browser such as Chrome, Firefox, Brave, Safari, what sites you visit. And when browsing the internet, consider
Edge, or Tor Browser. Both Chrome and Firefox are very widely switching your default web searches away from Google to
used and do a great job with security. Some people prefer DuckDuckGo, Startpage, or another privacy-protecting search
Firefox given its privacy focus. Either way, it is important that engine. Such a switch will help limit advertisers and third-party
you restart them and your computer relatively frequently to trackers as well.
keep your browser up to date. If you are interested in comparing
Browser Security in the Real World

Tibetan civil society activists were targeted in early 2021 users who visited websites that were linked to phishing
with a cleverly designed malicious browser add-on that emails. Such browser extension or add-on attacks can
stole their email and browsing data. The add-on, which be just as damaging as malware shared directly through
was titled “Flash update components”, was presented to phishing downloads or other software.

Securing Accounts
and Devices
Social Media Safety
Your organization can reveal a lot – and Whether it is Facebook, Twitter, Instagram, YouTube or region-
specific social media sites such as VKontakte and Odnoklassniki,
sometimes more than it intends – by posting you should always think carefully about what you post, and
and commenting on social media. properly configure any privacy settings that may be available.
This is true not only for your organization’s official pages, but
also in some cases for staffs’ personal accounts and those of
their family and friends too.
Social Media Security and Civil Society
Even low risk organizations can be targeted and accounts or successfully impersonate you online.
harassed on social media without proper security In addition to hacking accounts, civil society groups
policies in place. In this example from 2018, a non-profit and individual users in many countries are also facing
animal shelter lost thousands of dollars and alienated repercussions for content posted on social media. In
supporters after an unauthorized account administrator one example in Zambia from 2020, police arrested a
set up a fake fundraising effort, and fake accounts 15-year-old student for allegedly defaming the president
impersonating employees appeared on the platform. If in a Facebook post. The child, who posted under a
hackers will go to those lengths to make a few thousand pseudonym, was identified by the phone number used
dollars off of an animal shelter, you can imagine the to register the account and his internet protocol (IP)
damage sophisticated adversaries might be able to address.
inflict if they were to gain access to your organization’s
Securing Accounts
and Devices
DEVELOP AN ONLINE HARASSMENT

ORGANIZATIONAL SOCIAL Unfortunately, many organizations face significant harassment
online, especially on social media. Such harassment is often
MEDIA POLICY directed with even more intensity at women and marginalized
populations. Online violence against women in particular can
Assume that anything posted on social media could become create a hostile environment that leads to self-censorship
public knowledge, and craft an organizational social media or withdrawal from political or civic discourse. As identified
policy accordingly. This policy should answer questions such as: in NDI’s Gender, Women, and Democracy team’s Tweets that
Who has access to your social media accounts? Who is allowed Chill report, when attacks against politically active women
to post and who needs to approve posts? What information are channeled online, the expansive reach of social media can
should/should not be shared on social media? If you post magnify the effect of harassment and psychological abuse,
photos, location information, or other identifying information undermining women’s sense of personal security in ways not
about your staff, partners, or event attendees have you asked for experienced by men.
their permission, and have they considered the risks? In addition
to developing your policy and making it clear to staff, be sure to As your organization develops its social media policy, it is
properly configure your privacy and security (often referred to important to be cognizant of these dynamics. Build into your
as “safety”) settings. Some key questions to ask yourself as you security plan structured support for staff who face negative
decide what privacy and safety settings make the most sense messages, insults, and threats on social media, both as part
for your personal and organizational accounts, include: of their jobs and in their personal lives. Develop an anti-
• Do you want to share your posts with the public, or only harassment infrastructure within your organization, including
with a specific group of people internally or externally? surveying your staff to understand how online harassment
• Should anybody be able to comment, reply, or interact with impacts them and create a rapid response team to help staff
your messages or posts? face challenging situations. PEN America’s Online Harassment
• Should people be able to find you or your organization Field Manual also provides detailed recommendations on how
using your email address or (personal or professional) you can support staff who face such harassment. You might
phone number? consider, if your staff are comfortable doing so, reporting
• Do you want your location shared automatically when you incidents of harassment and/or problematic accounts directly to
post? the platforms as well.
• Do you want to block or mute hostile accounts?
• Do you want to block specific words or hashtags? When engaging with staff who have been the victim of
harassment online (and in the physical world as well), it is
Each social media site will have different privacy and safety important to be sensitive. As outlined by the Association for
settings, but these general concepts apply universally. As you Progressive Communications’ Women’s Rights Programme’s Take
consider these questions, take advantage of helpful privacy Back the Tech, understand that a survivor may be dealing with
guides from the major platforms: Facebook, Twitter, Instagram, trauma, and recognize that violence (online or offline) is never
and YouTube. For Facebook in particular, be cautious about the fault of the survivor. Ensure such issues can be raised and
your privacy choices regarding Groups. Facebook Groups are discussed (if staff are comfortable doing so) in a confidential
a popular spot for engagement, advocacy, and information and safe environment, with the option of anonymity. And
sharing, but unrestricted groups can be joined by anyone. It include in your organization’s security plan a list of local
is not uncommon for “fake” accounts to pose as real people professionals, organizations, and law enforcement agencies that
in an effort to infiltrate private social media groups or pages. you can connect staff to for legal, medical, mental health, and
Therefore, accept “friend” and “follow” requests carefully. technical assistance if needed. For additional ideas, check out
Remember that your organization’s social media accounts are Feminist Frequency’s Online Safety Guide.
only as secure as the accounts that are “linked” to it. This is
especially important to remember for Facebook, where your
organization’s page may be managed by someone’s linked
personal account.

Securing Accounts
and Devices
Keep your Websites Online
In addition to protecting your ability to access For social media pages, this means protecting those accounts
with strong, unique passwords and two-factor authentication.
the internet safely, it is also important to do For your website, this means protecting it against hacking and
what you can to ensure others can access your denial of service attacks. Distributed Denial of Service (DDoS)
organization’s websites or web properties. attacks are where a large group of computers simultaneously
drown your server in malicious traffic. If you are a civil society
organization or other non-profit organization, you can most
likely qualify for free DDoS protection - which makes it much
harder for an adversary to take your website down. A few
options include Cloudflare’s Project Galileo, Google’s Project
Shield, or eQualitie’s Deflect service.
Hosting Your Organization’s Website Securely
Websites are hosted on computers - and those are using well-established cloud hosting providers such
vulnerable to hacking just like your own devices. If as Amazon Web Services (AWS), Microsoft Azure, or
possible, your organization should take advantage of Greenhost’s eclips.is, which provide enhanced security
existing hosting services like Wordpress.com, Wix, or options for hosted websites. Regardless of what tools
others that manage all the site security for you. If you you use to host your website, ensure that any accounts
are reading this handbook, your organization also likely used to access content editing and configuration
qualifies for free secure hosting of a Wordpress site by settings are protected with strong passwords and two
eQualitie through their eQPress Hosting service. This factor authentication.
is a great option for civic organizations with existing
Wordpress sites or if your organization is looking If your organization has the technical savvy to host its
to build a new site. If your website needs are more own website, you should consider choosing a so-called
complex, or if you need to host your website yourself, “static-site” or flat website. As opposed to dynamic
then be sure to focus on keeping your operating websites, these types of sites reduce the attack surface
system and web hosting software up to date, just for hackers and will make your website more attack
like you would for your personal computer. Consider resistant.
Securing Accounts
and Devices
Protect Your WiFi Network
All these steps to protect web traffic from Do not forget the basics like using a strong password (not the
default password) on your WiFi router(s), ensuring that only
surveillance and censorship are important, authorized users have access to your network by frequently
but they are not a substitute for basic network changing the password, and enabling your wireless routers’
security in the office and at home. built-in firewall. Consider creating a guest network in your office
as well if you have visitors coming in and out of the building
who use the internet.
Staying Safe on the Internet
o Conduct regular training for staff on the importance of following basic web security
measures.
o Remind staff to always browse with HTTPS and encrypted DNS.
o Require staff to regularly restart their browsers to install updates.
o Encourage the use of privacy protecting browsers and extensions.
o If a VPN is appropriate given your organization’s context, choose a reputable one,
train staff on its use, and ensure it is consistently used.
o Develop and distribute a clear organizational policy on social media use.
o Enable privacy and security settings on all social media accounts.
o Understand the impacts of online harassment and be prepared to support staff who
are affected.
o Develop a list of local professionals, organizations, and law enforcement agencies
that you can connect staff to for legal, mental health, and technical assistance in
response to online harassment.
o Sign up for DDOS protection for your websites.
o Use a trusted, reliable web hosting provider.
o Use a strong password and a guest network for your office WiFi.

Securing Accounts
and Devices
Protecting
Physical
Security
Securing Accounts
and Devices
Securing Accounts
and Devices
It is essential to keep your devices physically world. This includes hard-copy documents;
secure. Keep in mind that physical security your organization’s office or work spaces; and
goes beyond just devices, and should include of course you, your staff, and volunteers.
strategies to protect everything else in your
Surveillance, Censorship, and Civil Society
Unfortunately, physical attacks on civil society democracy and governance space. For instance, the
organizations are not uncommon, and often have offices of LGBT+ Rights Ghana, a civic organization that
significant implications for both physical and in early 2021 opened the country’s first community
information security. One common tactic taken by center for the local LGBTQI+ community, were threatened
adversaries to suppress the activity of CSOs includes to be burned down, and were eventually raided
raiding and closing offices - to both intimidate staff and closed by police. Such raids not only impact an
and in some cases to steal or confiscate information organization’s physical operations, but can damage staff’s
and tech equipment. Such threats often target minority sense of security as well.
and human rights groups and CSOs operating in the

Securing Accounts
and Devices
Protecting Physical Assets
An essential component of information trusted companies that do not have an incentive to hand
over data and information to a potential adversary.
security is the physical security of your
devices. If the risk of break-in or office raid is high, keep the
organization’s most sensitive data away from the office
In addition to mitigating the impact of a stolen device by - either by being stored safely in the cloud (as discussed
using lockscreens and passwords, implementing full disk- earlier) or by being physically moved to a less targeted
encryption, and turning on remote wipe features, you should location. If old devices have information still stored on them
also consider how to keep those devices from being stolen in but are no longer in use, consider wiping them - this guide
the first place. To make theft more difficult, be sure to install from Wirecutter is a great resource on how to do this for
strong locks (and rotate them whenever staff change) at the most modern devices. If wiping your devices is not possible,
office and/or home. In addition, consider buying a laptop you can physically destroy them too. The easiest, if not most
safe or lockable cabinet to keep devices protected overnight. environmentally sensitive, way to do that is to break up the
Security cameras have become much less expensive, with devices and their hard drives with a hammer. Sometimes
simple versions designed for home use available more the oldest solutions still work the best! Even before these
widely. Such camera or motion sensor systems around the technical steps, take a moment to create an inventory of all
premises can detect and hopefully deter physical break-ins the equipment in the organization. If you do not have a list
and theft. Look for a privacy-respecting option available of all your devices, it is harder to keep track of what might be
in your country, and be sure to select cameras provided by missing if one gets stolen.
Setting up your own office security system
If a full office security system is out of your Android devices at different points in the office to notify
organization’s budget and you’re particularly concerned you of and record any unexpected guests and unwanted
about privacy you can try a creative option like the intruders. The Haven App can also be useful to set up in
Guardian Project’s Haven App to notify you of potential a hotel room or apartment if you are at heightened risk.
office intrusion. Haven is a smartphone app that can turn A full security system is best, but if that’s out of reach
any Android phone into a motion, sound, vibration and and you’d like to learn more about how to use the Haven
light detector. You can set up the app on a few cheap app you can visit the project website.
Securing Accounts
and Devices
trusted relationship. Whoever has access, someone trusted

WHAT DO WE DO WITH ALL should always be designated to lock up the office and ensure
devices are properly secured before leaving at the end of the
THIS PAPER? day.
It is likely that your organization has a lot of information that Are guests allowed inside the office? If so, ensure they do
is printed on paper, written in notebooks, or scribbled down not have access (or at least unattended access) to devices or
on Post-it notes. Some of this can be very sensitive: printouts sensitive hard-copy data. If it is a requirement or expectation
of budgets, lists of participants, sensitive letters from donors, that guests have internet access when they visit, you should set
and notes from private meetings. It is essential to think about up a “guest” network so that such guests do not have the ability
the security of this information as well. If you absolutely need to monitor your regular traffic. In general, only trusted personnel
to keep hard copies of sensitive information, ensure that it is should be able to access the network and network devices
stored safely in a locked cabinet or another safe place. Do not such as printers. It is also usually a good idea to require guest
keep any private or sensitive information (including passwords) registration so that you have a log of who has visited.
laying around on a desk or written up on a white board. If you
believe your organization to be at high risk of a break-in or raid, As you develop an office policy, the goal should be to allow only
keep highly sensitive information in a less targeted location. trusted people access to sensitive devices, documents, spaces,
To the extent possible, endeavor to dispose of unneeded hard- and systems.
copy information. Remember: if you do not have it, it cannot
be stolen. Set an organizational policy regarding ownership of
hard-copy notes, and be sure to collect any paper notes from SUPPORTING STAFF AND
staff if they decide to leave or are let go from the organization
(just like you would collect an organization-issued computer or VOLUNTEERS
phone). To get rid of sensitive paper, purchase a quality shredder.
A fun end-of-week activity can be taking a 15-minute break with Physical security threats to your organization can impact your
your staff to shred any leftover, sensitive print-outs or notes staff too. Similar to harassment on social media, these physical
from the prior week. security threats often disproportionately impact women and
marginalized communities. It is not just about broken windows
and stolen laptops. Intimidation, threats or instances of physical
THE OFFICE POLICY or sexual violence, domestic abuse, and fear of attack can have
a serious negative impact on the lives of staff. For organizations
Although for many the realities of “the office” have changed that work with or support politically active women in particular,
significantly since the beginning of the COVID-19 pandemic, NDI’s #Think10 Safety Planning Tool is a useful resource to
it is still important for your organization to set a clear policy provide those who might be at increased personal risk as a
regarding office access. Such a policy should address key result of their activity.
questions including who is allowed inside the office (and when),
who can access what office resources (like the WiFi network), The well-being of staff is obviously an important asset to them
and what to do about guests. as individuals, but it is also a crucial element to a healthy
and well-functioning organization. To that end, consider what
A simple yet important question to answer is who gets an additional resources you can provide to staff to keep them
office key. Only trusted staff should have keys, and locks should protected and, in the case of physical or digital attack, help
be changed when staff leave and/or on a semi-regular basis. them recover. As mentioned earlier in the Handbook, this means
During the day, any doors that are left unlocked should be in at a bare minimum developing a list of resources that you can
constant view of someone trusted in the organization. Also connect staff to for legal, medical, mental health, and technical
consider whether the organization has a trusted relationship assistance if needed. Once again PEN America’s Online Field
with your landlord or cleaning staff. Think about what Harassment Manual includes ideas for how organizations can
information or devices such people might have access to and support staff during and after crises, and Tactical Tech’s Holistic
ensure that is protected, particularly if you do not have that Security Manual includes relevant content on how organizations
often respond during times of intense threat.

Securing Accounts
and Devices
Chromebook can be a good option for such a device. Factory

SECURITY WHILE TRAVELING reset, or “wipe”, these devices upon their return before
connecting to common WiFi networks at home or the office.
Traveling - whether to another country or the town down the Prepare staff for what to do if they are questioned by authorities
road - often intensifies physical information security risks. It or stopped at a border crossing. Consider how you can limit
is generally safe to assume that you and your devices have the amount of information that someone travels with if this is
no privacy rights when crossing borders. As such, it is a good a concern, and create check-in protocols for staff traveling to
idea to include an organizational travel policy within your sensitive regions. Provide staff with contact information and a
security plan that includes reminders about key security best plan of action for what they should do if something goes wrong
practices. Your organization’s travel policy should include a lot on their trip. This includes information about local hospitals,
of the information covered in other sections of the Handbook clinics, or pharmacies should they need medical assistance
including using the internet securely, and keeping devices while traveling.
and other information sources physically secure and with you
at all times when traveling. If possible, leave your sensitive Staff should also keep all devices on their person while
information behind and just use a fresh, cleanly erased traveling. For example, keep your laptop at your feet (not the
computer, access the files you absolutely need from the cloud, overhead compartment or in checked luggage) when on a bus,
and then erase it when getting home again. train, or plane. Do not assume a hotel room – or even the hotel
safe – is a “safe place” to keep sensitive devices and items. Do
In addition to preparing for travel and minimizing the data not trust public USB charging ports. USB charging ports in
shared when you do travel, there are a few essential operational airports, stations, and vehicles are becoming an increasingly
tips that you should think through and include in your common sight, and a very convenient way to power up devices.
organizational travel policy. However, they can be an easy vector for picking up malware. So
be sure to either charge devices the traditional way through
Consider using travel-specific laptops or phones that have a plug in the wall, or purchase USB data blockers to allow
little to no sensitive data stored on them. If most of your traveling staff to safely charge up their devices via USB.
organization’s work is done in the cloud, a relatively inexpensive
Booking Travel Securely for Your Organization
When putting together a travel policy, keep in mind carefully about how you will securely share and store
what information might be exposed when you organize (if needed) personal information like passport details,
or book travel. This can be particularly important if you travel itineraries, and medical records. Tactical Tech’s
are organizing large events, trainings, or conferences Organizer Activity Book has a great worksheet to help
for which you are handling sensitive information your organization think through key questions related to
from a variety of staff, partners, or attendees. Think travel security, linked here.
Securing Accounts
and Devices
Protecting your Physical Security
o Remind staff to keep devices physically protected at all times.

o Check and secure all the ways people can get into your space - doors and windows.
o Develop an office guest and access policy.
o Use strong locks, and rotate/change them when needed.
o Consider setting up a camera or other office security system.
o Have and use a paper shredder.
• Set up dedicated staff time to dispose of hard-copy documents that contain
sensitive information.
o Develop a list of local professionals, organizations, and law enforcement agencies
that you can connect staff to for legal, medical, and mental health assistance in
response to physical attacks or threats.
o Develop an organizational travel policy.
o Ensure staff know what to do in case of emergency during travel, including
preparing staff for what to do if stopped at a border or checkpoint.
o Ahead of any local, national, or international travel, remind staff to limit information
stored on devices.
o Be mindful of the additional data that is created and shared when organizing travel
or events.

What To Do
When Things
Go Wrong
Securing Accounts
and Devices
Securing Accounts
and Devices
So, you know the right things to do. You have Borrowing from Tactical Tech’s Holistic Security Guide, a good
place to start with an incident response plan is defining an
put the policies in place and trained everybody incident or an emergency in the context of your organization.
in the organization on all the best practices. Decide what an “emergency” is – i.e, the point at which we
Even with all this hard work, it is very likely that should begin to implement the actions and contingency
measures planned. This is important as sometimes it will be
something will eventually go wrong. unclear – if you imagine a scenario such as losing contact with
a colleague on a field mission; how long would you wait before
Stuff happens. When it does, it is essential to have an incident
declaring an emergency? One does not want to jump too early,
response plan in place. Incident response is a crucial, and
but waiting too long can in some circumstances be disastrous.
often underrated, part of your organization’s security plan
It is also important to think through any operations steps as
because it can be the difference between an attack destroying
well. Assign each person a clear role that they are aware of and
your organization’s reputation or being an unpleasant bump
have agreed to in advance – this will reduce disorganization
in the road. Keep in mind that you can only respond to an
and panic in the event of an incident. In the case of each threat,
incident if you know about it. Having a strong organizational
consider the different roles that you may have to assume and
security culture and encouraging staff to report problems is
the practicalities involved in responding to an emergency.
very important. This is why it is better to reward good security
Within this important strategy for emergencies is the activation
behavior rather than punish security lapses or mistakes.
of a support network – a broad network of allies, which may
It is also important to express empathy and check on the
include friends and family, community, local allies, government
wellbeing of staff when they report an incident. You want staff
resources and national or international allies like NGOs and
to immediately report a clicked link in a phishing message, a
journalists. How can your allies support you? Should you contact
stolen phone, or a hacked social media account - not hesitate for
them in advance to verify that they will be willing to help you in
fear of retribution or lack of support. After all, incident response,
an emergency and let them know what you expect of them?
just like the mitigation strategies mentioned in other sections
of the Handbook, is an organization-wide effort.
When responding to an incident, effective communications
become increasingly important. Decide what the most secure
• What should you plan for? In short, anything that is
and effective means of communicating with each actor is in
somewhat likely to happen. That will look different for
different scenarios and identify a backup means. Be aware that
every organization, but common questions that an incident
for emergencies, it might be useful to have clear guidelines on
response plan will help answer include:
what to (and what not to) communicate, when to communicate,
• What do we do if our accounts or websites get hacked?
which channels to use to communicate, and with whom you
• What do we do if someone clicks on a phishing email or if
should communicate. Also consider the reputational impact of
a device is acting suspiciously?
an incident on your organization, and be prepared to respond
• What do we do if our emails or most sensitive documents
accordingly. Make sure that the organization’s communications
are stolen and leaked?
lead (in some organizations this might just be whoever
• What do we do if one of our employees is put in physical
manages the Facebook page or the Twitter account) is aware
danger or arrested? Or if they are struggling with stress
of the incident and can watch social media or other media for
and anxiety due to such threats?
potential impact. They should also be prepared to field possible
• What do we do if our office is damaged in a fire, flood, or
public or media inquiries about an incident if relevant. This is
natural disaster?
especially important for getting ahead of any potential negative
• What do we do if an employee’s computer or phone is lost
stories or reputational damage. While every incident and
or stolen?
context is different, honest and transparent communications
often help build trust in the aftermath of an incident.
The answers to these questions and others will differ by
organization, but it is important to think through them together
and clearly articulate and share a plan so that everyone in your
organization is prepared to take action immediately to limit the
damage.

Securing Accounts
and Devices
Creating an Early Alert and Response System
Consider establishing an Early Alert and Response again decreased. It should also include actions to be
System. Such a system sounds fancy, but it is essentially taken after an incident in order to protect those involved
just a centralized document (electronic or otherwise) from further harm and help them to recover physically
to be opened in the event of an emergency. In the and emotionally. An Early Alert and Response System
document, you should record all the details about the can provide useful documentation for sharing with law
security indicators and incidents which have occurred on enforcement (if applicable), subsequent analysis of what
a timeline, provide a clear description of the actions and has happened, and guidance on how to improve your
sequence for the planned response, and indicate what prevention tactics and responses to threats in the future.
needs to be achieved to signify that the risk has once
In addition to these important incident response concepts, legal counsel if necessary, and make a plan for what you would
your organization should also prepare for any specific technical do in response. It is a good idea to make an agreement with this
response. In some cases a technical response can be managed trusted counsel to represent you and your interests if needed in
by internal IT staff or system administrators. For example, if the aftermath of an incident. As part of this legal preparation,
an email account appears to have been hacked, your account make sure that you understand the legal obligations of any
administrator should be prepared and able to shut down vendors or partners. Are they required to notify you in the
or disable the impacted account. Some technical incidents, case of their own data breach? What support (if any) are they
however, might require expertise that you do not have within required to provide you in the case of an incident? As you
your organization. For situations like these, it is important to develop contracts and agreements with external vendors, keep
identify a trusted list of external technical experts who can the possibility of a data breach or other incident in mind.
assist you in your incident response. In some cases, you may
want to pre-negotiate terms with service providers (such as While there is no one-size fits all approach to incident response,
your website host or an IT consultant) to ensure that they having clear operational, communications, technical, and legal
are available (and would not charge extra) for such technical plans in place is essential. As you put together your incident
incident response. response plan, we strongly encourage you to make use of some
excellent existing resources, designed to help civil society
Last but certainly not least, you should consider legal steps. organizations and other high-risk groups navigate incident
Understanding the legal protections you might have, as well as response. These resources include the Digital First Aid Kit
the legal obligations or consequences your organization might developed by RaReNet and CiviCERT, PEN America’s Online
face as a result of a data breach or other security incident, is Harassment Field Manual, the Belfer Center’s Cybersecurity
important. A first step can be to identify trusted legal counsel Campaign Playbook and Cyber Incident Communications Plan
that understands your country or locality’s specific laws and Template, and Access Now’s Digital Security Helpline.
regulations. Take time to review possible incidents with relevant
Securing Accounts
and Devices
Incident Response
o Develop an organizational incident response plan, and practice it.

• Brainstorm possible incidents and prepare for your response before it happens.
o Ensure everyone in the organization is aware of how you will communicate and what
technical steps will be taken in the case of an incident.
o Take time to understand your legal protections and obligations.
o Be prepared to provide organizational staff the emotional and social support they
need in the aftermath of an incident.

Appendix A:
Recommended Resources
• Tactical Tech’s Holistic Security Manual ; Creative Commons Attribution-ShareAlike 4.0 International License
• Chapter 2.4 - Understanding and Cataloguing Our Information
• Chapter 1.5 - Communicating about Threats in Teams and Organizations
• Chapter 3.4 - Security in Groups and Organizations
• The Electronic Frontier Foundation’s Security Education Companion ; Creative Commons Attribution 3.0 US License
• Threat Modeling Activity Handout
• Freedom of the Press Foundation’s Phishing Prevention and Email Hygiene Guide ; Creative Commons Attribution
4.0 International License
• Freedom of the Press Foundation’s Locking Down Signal Guide ; Creative Commons Attribution 4.0 International
License
• Electronic Frontier Foundation’s Surveillance Self Defense (SSD) Guide ; Creative Commons Attribution 3.0 US
License
• What Should I Know About Encryption
• Communicating with Others
• Choosing the VPN That’s Right for You
• Frontline Defenders’ Guide to Secure Group Chat and Conferencing Tools
• Tactical Tech’s Data Detox Kit
• Let the Right One In: Make Your Passwords Stronger
• Strengthen Your Screen Locks
• Center for Democracy and Technology’s Elections Security Guide on Passwords ; Creative Commons Attribution 4.0
International License
• Center for Democracy and Technology’s Elections Security Guide on Two Factor Authentication ; Creative Commons
Attribution 4.0 International License
• Martin Shelton’s Two Factor Authentication for Beginners ; Creative Commons Attribution 4.0 International
License
• Tactical Tech and Frontline Defender’s Security in a Box ; Creative Commons Attribution-ShareAlike 3.0 Unported
License
• Protect your device from malware and phishing attacks
• Protect your information from physical threats
• SANS’ Ouch! Newsletter: Stop That Malware
• Apple’s Device and Data Access when Personal Safety is At Risk
• Global Cyber Alliance Cyber Hygiene for Mission-Based Organizations
Appendix B:
Security Plan Starter Kit
Use the following starter kit to take notes Be sure to reference the key “building blocks” in each section
of the Handbook too to ensure that you are covering the
as you and your organization read through important topics as you build your security plan. By the end of
the Handbook and digest the material, and the Handbook, the building blocks, answers to these discussion
consider the accompanying questions with questions, and your notes should form the foundation of a
successful security plan!
your colleagues to help generate productive
discussion.
Building a Culture of A Strong Foundation: Communicating and

Security Securing Accounts and Storing Data Securely
Devices
Staying Safe on the Protecting Physical What To Do When Things

Internet Security Go Wrong

Building a Culture of Security
QUESTIONS TO CONSIDER:
• When can you schedule a conversation to review your security plan with the entire organization?
• What days or times work well for the organization to schedule regular conversations and training about security?
• What steps can leadership take to model good security behavior and a commitment to a security plan? How can
others in the organization play a role in security?
YOUR NOTES AND IDEAS:
A Strong Foundation: Securing Accounts and Devices
• How will you implement account security measures - like a password manager and 2FA - across the organization?
What obstacles might you encounter during implementation?
• How will your organization ensure that devices are kept secure and updated? As part of this, will the organization
need a plan to address unlicensed software or computers?
• When is a good time to set up training for all staff on the dangers of phishing, malware, and device security best
practices?

Communicating and Storing Data Securely
• How will your organization implement end-to-end encrypted messaging for secure communication? What
obstacles might you encounter during implementation?
• How will your organization enforce a secure file sharing solution both internally and externally? What obstacles
might you encounter during implementation?
• How will your organization implement a secure data storage and backup solution? What obstacles might you
encounter during implementation?
Staying Safe on the Internet
• How will your organization implement secure browsing requirements such as HTTPS, a trusted browser, and, if
appropriate, a VPN for staff?
• What will be the key elements of your organization’s social media policy? How will it be enforced?
• How will your organization protect its websites and web properties?

Protecting Physical Security
• How will the organization distribute and enforce its office guest and access policy?
• Who is responsible for preparing staff for the physical and digital security challenges that they might face while
on travel for work?
• What steps can staff take to keep their devices safe and secure both at the office and while on travel?
What to Do When Things Go Wrong
• How will the organization distribute and practice its incident response policy?
• Are there resources available for staff who might be in need of emotional and social support in the aftermath of
an incident? If not, how might the organization be able to provide those resources in case of an incident?

Appendix C:
Image Citations
Page 17: CNP Collection, “Security Protection Anti-Virus Software cms”, 2014, digital image, Alamy
Stock Photo, https://www.alamy.com/security-protection-anti-virus-software-cms-image67114038.
html?irclickid=2oWTxrXnOxyIRKXzgq3HowdNUkDzCPSFpyViRI0&utm_source=77643&utm_campaign=Shop%20Royalty%20
Free%20at%20Alamy&utm_medium=impact&irgwc=1.
Page 24: Cottonbro, "Person Holding Black and Silver Key", 2020, digital image, Pexels, https://www.pexels.com/photo/
person-holding-black-and-silver-key-5474292/?utm_content=attributionCopyText&utm_medium=referral&utm_source=pexels.
Page 26: Blogtrepreneur, "Malware Infection", 2016, digital image, Flickr, https://www.flickr.com/photos/143601516@N03/.
Page 29: "Microsoft Loading Screen," digital image, Kompass, September 23, 2019, https://asset.kompas.com/crops/
kYVdzylbrYB5lIpuKDDwJLNFMV4=/164x49:679x393/750x500/data/photo/2018/07/02/4208974652.png.
Page 30: Mateuz Dach, "Turned-on iPhone and Displaying Icons," 2017, digital image, Pexels, https://www.pexels.com/photo/
turned-on-iphone-and-displaying-icons-365194/.
Page 33: Crete-Nishihata, "Process For a Phishing Email Sent in 2016," digital image, University of Toronto, January 30, 2017, https://
citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/.
Page 38: Andrew Keymaster, "People Gathering on Street During Daytime Photo," 2020, digital image, Unsplash, https://unsplash.
com/photos/JXQ2bizu7kc.
Page 39: Surveillance Self-Defense, "No Encryption in Transit," digital image, Electronic Frontier Foundation, January 17, 2019.
https://ssd.eff.org/en/module/what-should-i-know-about-encryption.
Page 40: Surveillance Self-Defense, "4.Transport-layer-alternate," digital image, Electronic Frontier Foundation, January 17, 2019,
https://ssd.Surveillance Self-Defense.org/files/2018/11/26/4.transport-layer-alternate.png. ; Surveillance Self-Defense, "6. End-
to-end Alternate", digital image, Electronic Frontier Foundation, January 17, 2019, https://ssd.Surveillance Self-Defense.org/
files/2018/11/26/6.end-to-end-alternate.png.
Page 42: Surveillance Self-Defense, "9._endtoendencryptionmetadata," 2019, digital image, Electronic Frontier Foundation, https://
ssd.eff.org/en/module/what-should-i-know-about-encryption.
Page 50: Brett Sayles, "Server Racks on Data Center," 2020, digital image, Pexels, https://www.pexels.com/photo/
server-racks-on-data-center-4508751/.
Page 55: PhotoMIX Company, 2016, "White 2 Cctv Cameras Mounted on Black Post Under Clear Blue Sky," digital image, Pexels,
https://www.pexels.com/photo/white-2-cctv-camera-mounted-on-black-post-under-clear-blue-sky-96612/.
Page 60: Stefan Coders, "laptop-screen-vpn-cyber-security," 2020, digital image, Unsplash, https://pixabay.com/photos/
laptop-screen-vpn-cyber-security-5534556/.
Page 62: Surveillance Self-Defense, "Using the Tor Browser," digital image, Electronic Frontier Foundation, April 25, 2020. https://
ssd.eff.org/files/2020/04/25/circumvention-tor_0.png
Page 64: Nathan Dumlao, "White Samsung Android Smartphone on Brown Wooden Table," 2020, digital image, Unsplash, https://
unsplash.com/photos/kLmt1mpGJVg.
Page 69: Matt Artz, "Two Broken 6-Pane On White Painted Wall Photo," digital image, Unsplash, October 1, 2017, https://unsplash.
com/photos/vT684iB7Ejg.

(English) Cybersecurity Handbook For Civil Society Organizations - 0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(English) Cybersecurity Handbook For Civil Society Organizations - 0

Uploaded by

Copyright:

Available Formats

Cybersecurity

Civil Society Organizations

A guide for civil society organizations looking to get

Civil Society Organizations

A guide for civil society organizations looking

The Top 10 6

Authors & Acknowledgments 7

Who are We? 7

Who is this Handbook for? 8

What is a security plan and why should my organization have one? 8

Creating your Organizational Cybersecurity Plan 11

Building a Culture of Security 12

Integrate Security into your Regular Operating Structure 13

Get Organizational Buy-In 14

Establish a Training Plan 14

A Strong Foundation: Securing Accounts and Devices 16

Secure Accounts: Passwords and Two Factor Authentication 18

Phishing: A Common Threat to Devices and Accounts 32

Communicating and Storing Data Securely 37

Communications and Sharing Data 38

Storing Data Securely 50

Staying Safe on the Internet 53

Social Media Safety 64

Keep your Websites Online 66

Protect your WiFi Network 67

Protecting Physical Security 68

Protecting Physical Assets 70

What To Do When Things Go Wrong 74

Appendix A: Recommended Resources 78

Appendix B: Security Plan Starter Kit 79

Case Study Extra Tips Real World

Advanced Security Plan Building Blocks

Building a Culture A Strong Foundation: Securing

Communicating and Staying Safe on

Protecting Physical What To Do When

Who are We?

Cyberattacks like these have significant consequences.

What is a security plan and why

2 Who are your adversaries and what are

As you identify possible threats, you are

To measure the impact of a threat, think about what your world

Once you have categorized your threats by likelihood and

Your goal is always to mitigate as much risk as possible, but no

Integrate Security into your Regular Operating

Building a Culture of Security 13

Get Organizational Buy-In

Establish a Training Plan

Building a Culture of Security

Building a Culture of Security 15

Secure Accounts and Civil Society

Secure Accounts: Passwords and Two-Factor

WHAT MAKES A GOOD PASSWORD?

Even if a password is long, it is not very good if it is something that an

USE A PASSWORD MANAGER Why do we need to use something new?

A Strong Foundation: Securing Accounts and Devices 19

a dedicated password manager so useful and beneficial to

browser extensions and a mobile app. With the paid version

Using a password manager for Your Organization

A Strong Foundation: Securing Accounts and Devices 21

WHAT IS TWO-FACTOR HOW CAN WE SET UP 2FA?

Authentication Apps Codes Via SMS

2FA and Civil Society

According to a recent Amnesty International report,

The Top 10 6

Authors & Acknowledgments 7

Who are We? 7

Who is this Handbook for? 8

What is a security plan and why should my organization have one? 8

Creating your Organizational Cybersecurity Plan 11

Building a Culture of Security 12

Integrate Security into your Regular Operating Structure 13

Get Organizational Buy-In 14

Establish a Training Plan 14

A Strong Foundation: Securing Accounts and Devices 16

Secure Accounts: Passwords and Two Factor Authentication 18

Phishing: A Common Threat to Devices and Accounts 32

Communicating and Storing Data Securely 37

Communications and Sharing Data 38

Storing Data Securely 50

Staying Safe on the Internet 53

Social Media Safety 64

Keep your Websites Online 66

Protect your WiFi Network 67

Protecting Physical Security 68

Protecting Physical Assets 70

What To Do When Things Go Wrong 74

Appendix A: Recommended Resources 78

Appendix B: Security Plan Starter Kit 79